Author Archives: privacynewshighlights

12-19 May 2016


WW – Facebook Launches Facial Recognition App Without Facial Recognition Technology

Facebook is releasing its photo app Moments in Europe, but with some important changes in order to comply with EU privacy laws. While the U.S. version of Moments features facial recognition technology, the European version will not, in part because of Facebook’s battle with the Irish data protection commissioner over the legality of the technology. The app uses facial recognition technology to identify individuals within photos bundled from the same event. The European version will still group photos from a particular event, but users will have to manually tag their friends. One major difference allows European users to share their photos privately, in a move geared toward the more privacy-cautious EU userbase. [The Guardian]

US – FBI Doesn’t Want Privacy Laws to Apply to Its Biometric Database

The FBI has been building a massive biometric database for the last eight years. The Next Generation Identification System (NGIS) starts with millions of photos of criminals (and non-criminals) and builds from there. Palm prints, fingerprints, iris scans, tattoos and biographies are all part of the mix. Despite having promised to deliver a Privacy Impact Assessment of the database back in 2012, the FBI’s system went live towards the end of 2014 without one. That’s a big problem, considering the database’s blend of guilty/innocent Americans, along with its troublesome error rate. The FBI obviously hopes the false positive rate will continue to decline as tech capabilities improve, but any qualms about bogus hits have been placed on the back burner while the agency dumps every piece of data it can find into the database. The FBI has shown little motivation to address Americans’ privacy concerns by providing an updated Impact Assessment (the one it does have dates back to the program’s inception in 2008), but has wasted no time in alerting legislators about its own privacy concerns. On Thursday, the Justice Department agency plans to propose the database be exempt from several provisions of the Privacy Act — legislation that requires federal agencies to share information about the records they collect with the individual subject of those records, allowing them to verify and correct them if needed. The DOJ’s comments reflect the FBI’s desire to keep its newest tracking toy as secret as possible. It asks for a number of exceptions and justifies those with the same excuses it uses to withhold information from both courts and FOIA requesters. [Source]

UK – PwC White Paper Points to Best Privacy Practices When Using Biometric Matching for Authentication

Nok Nok Labs, a member of the FIDO (Fast IDentity Online) Alliance, published a White Paper from PwC Legal comparing key privacy implications of on-device and on-server matching of biometric data. For organisations considering biometrics as they move away from reliance on usernames and passwords, the report highlights why device-side matching of biometric data is a compelling approach to satisfy key privacy requirements on cross-border personal data transfers, as well as providing the benefits of individual choice and control around such personal data. Other key findings in the White Paper include:

  • Freely given, informed user consent is required before processing biometric data in almost every jurisdiction covered in the White Paper
  • With centralised storage of biometric data, the potential for large-scale loss of data is significantly increased
  • On-device authentication will generally avoid international cross-border biometric data transfer implications. Conversely, on-server authentication for a global network of biometric users results in international transfers of data; transfer of personal data, including biometric data, out of a jurisdiction is generally restricted

“Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play,” said Phillip Dunkelberger, President & CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach. The on-device approach, as used by Nok Nok Labs technology, ensures optimal privacy for biometric information.” [Source] [FedScoop: PwC Study: Device-Side Biometrics Preferred Over Server-Side]

AU – OAIC Seeks Feedback on Draft Guide to Big Data & Privacy

The Office of the Australian Information Commissioner is seeking feedback on a draft guide to the interaction between so-called big data and Australian privacy law. In particular, the draft examines how the Australian Privacy Principles (APPs) apply to big data. “There is no doubt that big data practices challenge us to think about how key existing privacy principles — including notice and consent, data collection, use limitation, and retention minimisation, — work in practice,” acting Australian Information Commissioner Timothy Pilgrim said. “However, the APPs [Australian Privacy Principles] are technologically neutral, and structured to reflect the entirety of the information lifecycle. This means entities have the flexibility to tailor their personal information handling practices to respond to the privacy challenges of big data uses.” “The draft guide is aimed at facilitating big data activities while protecting personal information. It encourages entities to take a risk management approach and to use existing privacy tools to get privacy right for big data,” Pilgrim said. [Source] The document is available from the OAIC’s website. The deadline for submissions on the draft is 26 July.


CA – OPC Starts Consultations on the Realities of Customer Consent

“It seems clear that reading privacy policies could be a full-time pursuit with untold hours of overtime,” federal privacy commissioner Daniel Therrien told a privacy conference in Toronto. “It is no longer entirely clear who is processing our data and for what purposes – creating challenges for meaningful consent.” That’s why his office has started a consultation with chief privacy officers and other executives, researchers as well as the public on whether the consent model — largely instituted by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) — should be improved or should there be more focus on accountability and ethical uses of personal information by organizations, which would place the responsibility for oversight on regulators. [Source]

CA – OPC Releases Publication Highlighting Independent Privacy Research Projects Funded by Contributions Program

The Office of the Privacy Commissioner of Canada (OPC) has released the latest edition of Real Results—a publication highlighting the innovative and socially relevant independent privacy research and knowledge translation projects funded by the OPC Contributions Program over the past few years. The new edition of Real Results features funded projects that explore a range of emerging privacy issues—police background checks, the use of genealogical information, and telematics systems in cars—as well as some innovative approaches for helping young people learn to protect their privacy. The stories feature key findings of the projects, as well as commentaries and ideas from the researchers themselves that illustrate the issues and the impact of their work. The OPC Contributions Program funds independent privacy research and related knowledge translation initiatives. These projects not only advance the collective knowledge on privacy, they provide real, tangible research results that Canadians can use to make decisions about privacy protection in their own lives. To explore all research and knowledge translation projects funded by the OPC Contributions Program, see the Contributions Program projects listed by year on our website. [Source]

CA – NWT Government Seeking Comments on Reforms to ATIPPA

The Department of Justice for the Northwest Territories has issued a consultation on reform of the Access to Information and Protection of Privacy Act. Comments will be accepted until June 15, 2016. A comprehensive review of the Act is being conducted to address identified issues related to the purposes of the Act, the scope of the Act, time limits for responding to access to information requests, mandatory and discretionary exceptions to disclosure, circumstances allowing disclosures of personal information, the powers of the IPC, and current levels of fines for offences under the Act. [NWT Government – Public Engagement on the Comprehensive Review of the Access to Information and Protection of Privacy Act]

CA – Gov’t Minister Veto Could Trump Proposed Info Commish Powers

The Liberal government is floating the idea of a ministerial veto over planned new powers for the information commissioner — a move that would give cabinet the power to block release of documents. …Currently the commissioner, an ombudsman for users of the access law, can investigate complaints and recommend that records be released. But she cannot force a government agency to do so, and must head to court to pursue the matter further. Provincial commissioners in British Columbia, Alberta, Ontario, Quebec and Prince Edward Island have the power to order the release of government information. Many openness advocates have called for the federal commissioner to have similar authority. [Source]

CA – Quebec Info Commish Blasts School Board Over Data Sent to US

Quebec’s Information Commissioner has condemned Lester B. Pearson School Board (LBPSB) for sharing confidential personal information far too freely. Judge Cynthia Chassigneux ruled that LBPSB grossly violated its stakeholders’ rights by sharing their personal information with a private California database firm Blackboard Connect, where it is subject to disclosure to American authorities under the Patriot Act. [The Suburban]

CA – Ontario Court of Appeal to re-Examine Shielding Data from US Probes

What happens to data being stored in Canada and whether it can be accessed by foreign law enforcement agencies is a question Canadian courts are currently grappling with. Two decisions — one in Ontario, the other in British Columbia — have determined that information held in servers in Canada can’t be shielded for review by American investigators. But the Ontario Court of Appeal has decided to re-examine one of those cases. [Law Times]

CA – BC Court of Appeal Rules on Privacy, Technology, and Instant Messaging

In its recent decision R. v. Craig, 2016 BCCA 154, the B.C. Court of Appeal recognized a reasonable expectation of privacy in private instant messages shared on a social network. Even though the context was criminal law, the reasoning underlying the decision is of interest to any practitioner confronted with protection of privacy issues. This bulletin discusses this case first by presenting the facts, followed by the legal issues, the “reasonable expectation of privacy” test, and the court’s guidance for the future. “In our opinion, this decision can be summed up in two words as it pertains to reasonable expectation of privacy: tradition and progress. Legal tradition, because the Court of Appeal reiterated and affirmed the doctrine of confidentiality in private communications: the sender is not supposed to know that the recipient will share the message with third parties. Technical progress, because the Court of Appeal applied this doctrine, with the necessary adaptations, to the digital universe, by explaining that private instant messages shared on a social media website are entitled to an objective expectation of privacy. Most importantly, from a much broader perspective, this principle would apply to any private technological communication.” [Fasken]

CA — OPC Releases Survey Results on Canadian Businesses

The Office of the Privacy Commissioner of Canada recently commissioned a telephone survey of 1,016 Canadian companies to find out how Canadian businesses fare with their privacy knowledge and protections. The informative report on the survey is the 2015 Public Opinion Research with Canadian Businesses on Privacy-Related Issues. Canadian businesses report increased knowledge of privacy issues, but little progress in implementing privacy policies or response plans for data breaches – placing them at risk for new enforcement activities and fines. [Source]

CA – RCMP Surveilled Journalists for 9 Days Without Authorization

Mounties probing CSIS leak conducted unauthorized surveillance of 2 journalists Officers spent 9 days watching Ottawa-based journalists, new document reveals. Only after the surveillance of the reporters had occurred did officers ask their RCMP bosses for the required permission. They were immediately denied authorization, and told to cease the surveillance. The bombshell revelation about a national police agency spying without authorization on Canadian journalists appears in a document obtained by CBC News under the Access to Information Act. The partly censored briefing note for Public Safety Minister Ralph Goodale was written after media reports appeared last November detailing Project Standard. That was the official name of the Mountie probe into the leak of a 2003 secret document, created by the Canadian Security Intelligence Service (CSIS), to journalists working for the Montreal newspaper La Presse. [CBC] [Trudeau: ‘Unacceptable’ That Rogue Canadian Cops Spied on Two Journalists] See also: [Mulcair calls for inquiry into RCMP surveillance of journalists] [RCMP commissioner speaks out on unauthorized surveillance]

CA – Privacy Laws for Mental Health Care in Nova Scotia Could Soon Be Reviewed

The governing Liberals are ready to examine whether Nova Scotia’s privacy law is preventing young adults from getting the support they need when they are suffering from a mental illness. The issue was front and centre at Province House on Tuesday during a visit to the legislature by Carolyn Fox. Her daughter, Cayley, 21, killed herself on Jan. 22. [Source] See also: [Nova Scotia mental health care privacy laws unlikely to change: former health czar]


CA – Ipsos Survey Finds Most Canucks Don’t Trust Gov’t With Their Info

A majority of Canadians believe that their personal, confidential information held by all levels of government is vulnerable to a security breach, including non-authorized internal access or an external data hack and theft, according to a new Ipsos poll conducted on behalf of Accenture. Municipal governments top the list, with 56% of Canadians describing them as vulnerable (16% very/41% somewhat) to threats when it comes to personal data for things such as property tax, water/sewage and traffic fines. A minority (44%) does not see their information as vulnerable (9% not at all/34% not very). Other levels of government don’t perform much better, as many feel the same way about their provincial government, which stores confidential data for drivers’ licenses, health cards and birth certificates: a slim majority (55%) say entities at the provincial level are vulnerable to data security breaches (20% very/35% somewhat), while nearly half (45%) say they aren’t vulnerable (13% not at all/32% not very). When sharing their personal, confidential data with the Federal government – for anything from taxes to SIN cards to passport renewals – 53% of Canadians feel their data is vulnerable to a security breach (20% very/33% somewhat), while fewer than half (47%) do not (15% not at all/32% not very). While most Canadians likely trust their doctor, many are less convinced about the security of their health records. Half (55%) feel records held at their doctor’s office or hospital are vulnerable (20% very/35% somewhat) to a security breach, while 45% do not (14% not at all/31% not very). Other institutions are not exempt from data protection concerns. Half of Canadians (52%) feel their hydro electricity provider is vulnerable to a data security breach (14% very/38% somewhat), while the other half (48%) does not feel their information held by their hydro provider is vulnerable (10% not at all/38% not very). [Source] [Press Release | Detailed Tables 1 | Detailed Tables 2

US – NTIA study: Privacy Concerns Curtailing Americans’ Online Activity

A National Telecommunications & Information Administration survey found Americans are concerned about online privacy and security and are curtailing their activities as a result. The survey revealed 19% of Internet-using households, equaling around 19 million, have been hit by a negative event, including a security breach or identity theft in the 12 months before the July 2015 survey. When asked about online concerns, 84 percent of participants named at least one online security concern, with identity theft cited as the most pressing issue, coming in at 63%. These fears are affecting online habits, the report states, as 45% of households said concerns stopped them from activities such as financial transactions, posting on social media or buying goods or services, with 30 percent saying it stopped them from performing at least two of those actions. [NTIA] [Privacy And Security Concerns Are Keeping Many Americans Offline]

UK – High-Profile Data Breaches Affecting Consumer Trust in Big Brands

A survey of 1,000 UK consumers commissioned by FireEye has revealed that last year’s high-profile data breaches have dented long term consumer trust in major brands. Findings highlighted rising public concerns over a perceived lack of board-level concern for data privacy, with almost three quarters (72%) of consumers stating that they were likely to stop purchasing from a company if a data breach was found to be linked to the boardroom failing to prioritise cyber security. A data breach linked to a lack of board-level attention was deemed less acceptable than if a data breach had occurred as a result of human error – with only 38% of consumers stating that they would be likely to stop purchasing if this was the reason. 29% of consumers said that data breaches had diminished their loyalty as current or potential customers of affected brands, and 38% said that they felt more negatively about companies that suffer data breaches, indicating that consumers are still largely viewing the organisations breached as the parties at fault, rather than victims of cyber crime. In addition to this, over a quarter of consumers (27%) indicated that persistent data breaches have negatively affected their perception of organisations that they buy from in general, indicating that persistent reports of data breaches is not just harming the reputation of affected organisations, but having a wider impact on consumer trust. The findings also reveal the potential long-term financial impact of data breaches on major brands, with 52% of consumers warning they would take legal action against companies if a data breach resulted in their personal details being stolen or used for criminal purposes. 62% of consumers also reported that they will now share fewer personal details with companies, which could hit the revenues of organisations – from social media platforms to search engines – that rely on collecting detailed consumer data for advertisers. [Source]


AU – Vic.P.Commish Says Compulsory Census A Bad Precedent

Australian jurisdictions are highlighting privacy and data control this month, but disquiet remains about The Australian Bureau of Statistics’ recent reversal of a longstanding policy and plan for mandatory retention of names and addresses with this year’s national census. Victoria’s privacy chief worries compulsory collection of information for purposes other than law enforcement “could set a really bad precedent”. The census collects a huge array of personal data in one place — a potential honeypot for those involved in identity crime. “One of the privacy principles is data minimisation and that’s contrary to what the census is about, so I have reservations about it,” he says. [Source] [CA— Ex-MP Dean Del Mastro says long-form census may violate right to privacy]

CA – Microsoft Opens Azure Cloud Floodgates for Canadian Businesses

Microsoft has finally made its Azure Cloud services generally available in Canada post a short limited availability experiment in March. To provide Canadian businesses with the satisfaction that their data isn’t leaving the country, all users will be provided cloud services through local datacentre regions located in Toronto and Quebec City. Microsoft has also said that its Office 365 customers will also be provided data residency through the local datacentres. “With so much momentum in the cloud, we are thrilled to welcome Bell Canada as the first Canadian telecommunications partner for Azure ExpressRoute,” said Canadian MSFT CEO Janet Kennedy. [Source]


CA – CRTC Fines Company $194,000 for Unsolicited Telemarketing Calls

The Canadian Radio-television and Telecommunications Commission issued a Notice of Violation to Thee Future Web Ltd. for violations of the Unsolicited Telecommunications Rules. The company made calls to individuals registered on the National Do Not Call List, had not registered or subscribed to the Do Not Call List, and did not provide the appropriate information in a clear manner upon reaching the individual. [CRTC – Notice of Violation – Thee Future Web Ltd] See also: [CRTC Fines Company $30,000 For Unsolicited Telemarketing Calls: Notice of Violation – Century 21 Innovative Realty Inc.] and [CRTC Fines Company $65,000 For Unsolicited Telemarketing Calls: Notice of Violation: Right at Home Realty Inc. – PDR 9174-1603]

Electronic Records

SA – South Africa: 32% of Business Not Confident in Cloud Data Security

Despite the many benefits of moving to the cloud, South African businesses are still hesitant to make the transition. There is still much uncertainty about the move and how it will affect business. …Here are five extra reasons why adopting the cloud could work for your business. According to Vodacom Business, 32% of South African businesses are not confident that data is secure when using a cloud service. There are several reasons why wariness of transitioning to the cloud exists such as:

  • Loss of control.
  • Handing the performance of your business over to a 3rd
  • What if the system fails?
  • What position will the business be in if it isn’t able to perform?
  • The fear of operations being affected.
  • Security concerns. [Source]


EU – Europol Director: Encryption Affects 75% of Agency’s Cases

Rob Wainwright, director of Europol, says encryption is a major problem in most of the cases the agency handles, Motherboard reports. Wainwright responded to an op-ed written by John Naughton for the Guardian on Twitter, proclaiming how encryption has been plaguing Europol cases. “Encryption dilemma must be solved soon. Real problem in 75% of all Europol cases” Wainwright tweeted. While Wainwright did not elaborate on the types of encryption troubling Europol, Claire Georges, a member from the agency’s corporate communications, said technology such as Tor and bitcoin are part of the problem. “Technology in general is used not only by cybercriminals, but also by drug dealers, child sexual offenders and other criminals involved in different illegal activities. Encryption is commonly used in secure communications and is becoming a standard protection feature in many products, such as e-wallets for virtual currencies,” Georges said. [Full Story]

EU Developments

EU – European Court Advisor: Dynamic IP Addresses Are Personal Data

Dynamic IP addresses are subject to privacy protection rules, the EU Advocate General said in a non-binding opinion. …The opinion, issued by Advocate General Manuel Campos Sánchez-Bordona, is online but has yet to be translated into English. The advocate general’s opinions are non-binding but they typically dictate how the European Court of Justice will rule. [Electronic Privacy Information Center] [CBS] [EU Advocate General Considers “Dynamic IP Addresses” as “Personal Data”: an Extension of Personal Data Scope?]

UK – ICO Issues Guidance for Direct Marketing by Charities & Business

Following a year that saw investigations into direct marketing by charities and a change in the law that led to the UK Information Commissioner’s Office setting record fines for nuisance calls and texts, ICO’s recent update of its guidance on direct marketing comes at a critical time. In light of the new guidance – as well as the new EU data protection regulation and expected review of the e-privacy directive – it’s more important than ever that those involved in direct marketing understand how to apply this complex area of law. Most of the new guidance focusses on helping charities to comply with the law, but it also gives helpful clarification for businesses that do direct marketing: particularly on the issue of what constitutes consent to use data, including ‘indirect’ consent. This article highlights the changes to ICO’s guidance, and what else is on the horizon that might affect how businesses conduct direct marketing. [Source]

Facts & Stats

UK – Survey Finds Brits ‘Confused’ About Security & Privacy Priorities

An F5 survey exploring the attitudes of data and security handling found half of UK respondents agree that tech firms should prioritise national security over consumer privacy. Only 26% of Brits agreed that privacy should be prioritised over security. The survey found that two-thirds of respondents were concerned about their privacy being compromised, while 72% had no confidence in social networks to protect their data from hackers effectively. But despite this, more than half were willing to share personal information for free access to a company service. People it seems are willing to share date of birth (53%), marital status (51%) and personal interests (50%) in return for a free service. But almost a third (31%) see no value in giving their personal data to companies. Nearly all consumers (88 percent) feel strongly that organisations should improve authentication for greater security. [Source]


WW – Study: Google has denied 75% of RTBF requests

The organization behind the right to be forgotten application site, Reputation VIP, has released a new report which found in the two years since Google began accepting RTBF requests, the company has refused 70 to 75 percent of them. Germany and U.K. residents most frequently make RTBF entreaties, the report states. While “invasion of privacy” tops the catalyst for most applications, “Google most frequently denies removal requests that concern professional activity,” the report states. “Following that, Google often denies requests where the individual involved is the source of the content sought to be removed.” [Search Engine Land]


AU – Database Makes Australian Credit Scores Public

A new credit rating database allows Australians to look up the credit scores of other civilians by address. Dubbed Georisk, the publicly accessible system exists for companies to “keep track” of consumers’ financial history while helping predict customers’ credit worthiness. It then ranks the scores on a risk factor from one to 10. The database has frustrated privacy advocates, the report states. “I think most people are going to feel their privacy is being grossly invaded by public disclosure of this information for anyone who wants to look at it for any purpose whatsoever,” said Civil Liberties NSW’s Stephen Blanks. [Yahoo7 News]

AU – Privacy Issues With Household Credit Ratings Posted Online

Civil libertarians have been left outraged by a public database which shows household credit ratings. It’s information anyone can look up, all that is needed is an address. Credit rating companies keep track of past financial behaviour to predict a person’s credit worthiness. Now companies are able to access a credit risk rating that has been applied to every household in Australia. Georisk aims to measure an individual’s financial risk, by putting consumers in a range from one to ten. The ratings are publicly available to anyone who wants to search it on a computer. Not everyone was pleased to know their information was publicly visible online. However the creators have defended the website, saying they weren’t offering anything that was sensitive to the individual. To see what your home’s credit risk rating is click here. [Video: Outrage over private household information being released on public database] [Source]

WW – Payday Loan Ads Prohibited on Google

Google will no longer permit “payday loan ads” on its site. The Wednesday announcement is a concession to critics who argue that the lending practices exploit “the poor and vulnerable,” the report states. They pose a privacy concern as well. “You search the Internet when you need help — and as a result you may give search engines some really sensitive information about your finances,” said Georgetown Law Center on Privacy & Technology’s Alvaro Bedoya. He called Google’s decision a “principled stance,” adding that it will set a precedent for other search engines. [Full Story]

WW – Verizon 2016 Report Confirms People Are #1 Source of Data Breaches

Verizon has just published its 2016 Data Breach Investigation Report. In preparation for this publication, Verizon reviewed more than 100,000 incidents (reported by a plethora of technology companies, law firms, government agencies, and insurance companies, as well as through its own investigations), of which 3,141 were confirmed data breaches. The report yielded several interesting trends. Not surprisingly, most data breaches are about money — thieves stealing data because of its value. 63% of confirmed data breaches involved leveraging weak, default, or stolen passwords, proving that data thieves will exploit vulnerabilities to take the easiest route. Phishing continues to trend upward. People seemingly just can’t help clicking on authentic-sounding “click here to reset your banking password” e-mails. For example, Verizon found 30% of phishing messages were opened, unfortunately an increase from 23% in 2014. 12% then proceeded to open the malicious attachment or click the link, no doubt to their peril. Overall, 95% of breaches, and 86% of incidents across all industries, predictably fell into nine identified patterns:

  • miscellaneous errors (17.7%),
  • insider and privilege misuse (16.3%),
  • physical theft and loss (15.1%),
  • denial of service (15%),
  • crimeware (12.4%),
  • web app attacks (8.3%),
  • point-of-sale intrusions (0.8%),
  • cyber-espionage (0.4%),
  • and payment card skimmers (0.2%).
  • the bucket “everything else” category covered 13.8%.

Interestingly, many of the data breaches reported were not caused by super-secret and sophisticated Mission Impossible-style attacks involving hacking or the wearing of black ninja gear while scaling walls. Instead, many breaches fall into what I think of as the “people are people” category — highlighting human greed/avarice and our basic capacity to make dumb mistakes. [Source]


CA – Court Rules Severance Payment Information Is Exempted from Disclosure Under New Brunswick FOI Legislation

The Court considered an appeal of the Access to Information and Privacy Commissioner’s decision recommending St. Thomas University release information requested under New Brunswick’s Right to Information and Protection of Privacy Act. The Court ruled that, contrary to the Privacy Commissioner’s recommendation, an organization does not have to disclose severance payment information to a requester; such information is neither a “benefit” (it does not bestow an advantage or betterment on a recipient) nor “discretionary” (it is made only to avoid or settle litigation). [Elizabeth Hans v. St. Thomas University – 2016 NBQB 049 – In the Court of Queen’s Bench of New Brunswick, Trial Division, Judicial District of Fredericton]

CA – Information Commissioner Opposes Government Veto Power Over Releasing Files

Information Commissioner Suzanne Legault says giving the government a veto over the release of files would turn her federal watchdog role into “a mirage.” Legault told a Commons committee studying reform of the Access to Information Act that she firmly opposes the idea of a ministerial trump card over proposed new order-making powers for her office. The Liberals promised the information commissioner could issue “binding orders” during last year’s election campaign. …[Now] the Liberal government is floating the notion of a veto that would give the federal cabinet power to block release of documents even if [Information Commissioner] Legault ordered disclosure. [Source]

WW – The Intercept Is Broadening Access to the Snowden Archive

The Intercept has announced two innovations in how they report on and publish the Snowden Archives. Both measures are designed to ensure that reporting on the archive continues in as expeditious and informative a manner as possible, in accordance with the agreements we entered into with our source about how these materials would be disclosed, a framework that he, and we, have publicly described on numerous occasions. The first measure involves the publication of large batches of documents. We are, beginning today, publishing in installments the NSA’s internal SIDtoday newsletters, which span more than a decade beginning after 9/11. We are starting with the oldest SIDtoday articles, from 2003, and working our way through the most recent in our archive, from 2012. Our first release today contains 166 documents, all from 2003, and we will periodically release batches until we have made public the entire set. The documents are available on a special section of The Intercept. Accompanying the release of these documents are summaries of the content of each, along with a story about NSA’s role in Guantánamo interrogations, a lengthy roundup of other intriguing information gleaned from these files, and a profile of SIDtoday. We encourage other journalists, researchers, and interested parties to comb through these documents, along with future published batches, to find additional material of interest. Others may well find stories, or clues that lead to stories, that we did not. (To contact us about such finds, see the instructions here.) A primary objective of these batch releases is to make that kind of exploration possible. Consistent with the requirements of our agreement with our source, our editors and reporters have carefully examined each document, redacted names of low-level functionaries and other information that could impose serious harm on innocent individuals, and given the NSA an opportunity to comment on the documents to be published (the NSA’s comments resulted in no redactions other than two names of relatively low-level employees that we agreed, consistent with our long-standing policy, to redact). Further information about how we prepared the documents for publication is available in a separate article. We believe these releases will enhance public understanding of these extremely powerful and secretive surveillance agencies. [Source]

US – Appeals Court: DPPA Doesn’t Cover Traffic Accident Reports

A Wisconsin state appeals court has ruled that the Driver’s Privacy Protection Act doesn’t require law enforcement agencies looking to comply with open records laws to redact names from accident reports. DPPA in fact includes an exception for unredacted, non-Department of Motor Vehicles-supplied accident reports. The ruling came at the relief of Wisconsin officials who had “begun blacking out drivers’ names and other information that normally would be public in accident reports” for fear of DPPA violations, the report states. The court did, however, encourage a state circuit court to decide if the unredacted traffic accident information served a purpose beyond compliance, the report adds. [FierceGovernmentIT]


US – Vanderbilt Receives $4M to Study Genetic Data Privacy

The National Institutes of Health awarded researchers at the Vanderbilt University School of Medicine a $4 million, four-year grant to study the privacy ramifications surrounding genomic data use. “We’re really broadening our horizons to think about how history and public opinion and literature affect the way individuals and communities think about privacy concerns,” said primary investigator Ellen Wright Clayton. “Ultimately, the goal is to develop policy recommendations that address the complexity of what’s at stake.” Johns Hopkins University, University of Utah, and University of Oklahoma also received similar grants, the report states. [EurekAlert!

Health / Medical

CA – OIPC SK Releases Comprehensive Guidance for Health Information Protection Act

The OIPC SK has provided trustees with guidance to interpret The Health Information Protection Act, including:

  • guidance on when to disclose personal health information to family and friends;
  • guidance on de-identified PHI;
  • guidance on faxing PHI;
  • recommended safeguards;
  • best practices for data sharing agreements; and
  • privacy breach guidelines.

The guidance includes circumstances under which PHI may be disclosed to family/friends, de-identification of PHI (including an explanatory list of techniques), considerations for data sharing agreements with providers, recommended security measures (including faxing considerations), and a 4-step privacy breach process. [OIPC SK – IPC Guide to HIPA]

WW – Providers Seek Cloud Solutions for Healthcare Data Security

Healthcare data security has become a top priority for IT professionals when it comes to investing in cloud applications in 2016, reported the survey. In the 2014 survey, only 31.3% of survey participants stated that their organization planned on investing in cloud solutions for disaster recovery purposes, which often includes healthcare data security measures. Researchers also found that respondents were implementing cloud services to develop more comprehensive incident recovery plans. When participants were asked to assess the motivation factor from 1 (least motivating) to 7 (highly motivating), healthcare data security response was evaluated at 5.11. [Source]

WW – Healthcare Suffers Estimated $6.2 Billion in Data Breaches

Nearly 90 percent of healthcare organizations were slammed by a breach in the past two years. …The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers, but 64% of healthcare organizations don’t offer credit protection services for victims, and 67% of business partners don’t have procedures in place to correct errors in medical records—a gap that could be life-threatening in the case of an identify thief using a patient’s medical information for fraudulent purposes, the Ponemon report notes. [Source] [Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute]

Study: 90% of Health Care Organizations Suffered Data Breach

A Ponemon Institute report found nearly 90% of health care organizations suffered at least one data breach during the past two years, costing the industry $6.2 billion, InformationWeek reports. Ponemon’s “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data” discovered 79% of those organizations suffered two or more breaches, with 45% saying they had been hit by more than five breaches. With most of the breaches exposing less than 500 records, the incidents are not reported to the Department of Health and Human Services. The report also discovered health care budgets for security have either dropped, or remained the same during the past year. In related news, Vormetric released a study revealing 90% of security pros in the financial sector feel vulnerable to data threats, with 44 percent already experiencing a breach. [Full Story] [The Star reports on the first person ever charged under Ontario’s new health care privacy law.]

US – World Privacy Forum Questions Adequacy of PMI Privacy Principles

The World Privacy Forum says privacy principles set forth for the Precision Medicine Initiative “lack detail and fail to address underlying legal requirements and protections.” In a research paper published this week, the organization notes that the HIPAA Privacy Rule will not apply to the research, and that the principles “appear to be voluntary and lack important legal and administrative details.” The current privacy principles in place for the initiative were created by the White House with help from experts working both inside and outside the government. They include categories such as transparency to participants and the public; respect for participant preferences; and appropriate data sharing, access and use. In the paper, WPF outlines its privacy concerns for the PMI and identifies issues that should be addressed. Some recommendations the authors make include:

  • The structure and organization of the initiative must be detailed so privacy protections can be assessed, and participants must know who will maintain their data.
  • Uses and disclosures of the data for security and law enforcement purposes should be clarified.
  • There is “immediate need” for a Privacy Impact Assessment, which then should be open for public comment.
  • Privacy rules should be described as covering health records, administrative records and monitoring from health devices and mHealth tools. [Source]

Horror Stories

WW – LinkedIn Resets Passwords as 117M Logins for Sale on Dark Web

LinkedIn has confirmed a significant breach from 2012 was worse than first thought, with the number of leaked usernames and passwords rising from 6.5 million to a purported 117 million. Earlier this week, fresh LinkedIn credentials went on sale on a dark web market known as The Real Deal. 117 million LinkedIn usernames and passwords will cost 5 Bitcoins, worth approximately $2,200. LinkedIn is in the process of resetting user passwords for every member who joined before 2012 who had not changed their password since the previously-reported breach. It confirmed the action in a blog post, in which it added: “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.” [Forbes]

Identity Issues

US – Firms Suffering Data Breaches Can Tap Free Customer Fraud Protection

Organizations that suffer data breaches may now be able to offer free fraud protection to their customers through a new program announced this week. Austin, Texas-based data security and analytics company XOR Data Exchange has launched a new platform, the Compromised Identity Exchange, which “aims to protect U.S. consumers, businesses and government entities from data breach-related identity theft and fraud.” Participation in the exchange is free to organizations that have suffered a data breach of personally identifiable information in order to drive widespread protection for breach victims. According to the firm, The Compromised Identity Exchange synthesizes breached records with ongoing fraud analysis to offer banks, financial lenders and other service providers “unprecedented insight into which of their accounts and applications carry a higher risk of fraud related to one or more data breaches.” It does this without the need for ongoing data sharing from breached entities, the firm stressed. [Source]

US – Stanford Study: Basic Phone Logs Can Reveal Your Intimate Details

Following Edward Snowden’s revelations about surveillance, officials have downplayed its programs as being concerned not with the actual content of email or phone calls, but “just” with collecting metadata, as if metadata didn’t reveal just about as much about us as does the content itself. Metadata, when it comes to phone communications, includes who we call or text, who they contact (that’s called a “hop”), when we call or text, and the duration of each call or length of each message. Since the surveillance revelations, there have been various studies about how much can be gleaned about us from metadata. The answer: a lot. Now, researchers at Stanford University in the US have done another study, and their findings confirm that basic, supposedly anonymous phone logs can be used to glean people’s names, where they live, their partners’ names, and intimate personal details. A sample of the researchers’ vignettes show the type of things they managed to infer:

  • Somebody’s planning to grow weed. Within less than 3 weeks, the subject made calls to a hardware outlet, locksmiths, a hydroponics store, and a head shop.
  • Somebody’s got heart problems. The evidence included a long call from the cardiology group at a regional medical center, brief calls with a medical laboratory, several short calls from a local drugstore, and brief calls to a self-reporting hotline for a cardiac arrhythmia monitoring device.
  • Somebody’s pregnant. Early one morning, the subject was on the phone with her sister for a long time. Two days later, she called a nearby Planned Parenthood clinic several times. Two weeks later, she placed more brief calls to Planned Parenthood, and she placed another short call a month after.

The study involved 823 participants who volunteered to have their metadata collected via an Android app on their phones. The researchers also required participants to have a Facebook account, so as to verify that they were over the age of 18, as well as to verify the accuracy of their results. [Naked Security] [TechCrunch][“Evaluating the privacy properties of telephone metadata“]

US – Feds & States Continue to Expose SSNs on Mailed Documents

Americans Collecting Disability and Unemployment are at Risk of Identity Theft. Members of the FTC and consumer groups criticized the Employment Development Department’s (EDD) practice of using the numbers as identifiers on mailed documents and state lawmakers from both sides of the aisle demanded the EDD make changes. The coverage ultimately shamed the EDD into doing what it had long insisted was impossible. Three months after our first report, the agency began redacting social security numbers on the most commonly mailed documents. However, now we’ve discovered the EDD is still printing the number on many other mailed documents, including those sent to claimants collecting disability. The EDD is not alone in mailing sensitive information. ConsumerWatch reached out to every state in the nation and only 8 of the 42 states that responded say they redact Social Security numbers on all mailed documents. Like California, 17 admit they still mail the full number on documents to both claimants and employers. Another 17 states say they only print the full SSN on documents mailed to employers. However, that is just as concerning for many who don’t trust that their former employers will take the same care that they would to properly dispose of the documents. [Source]

Intellectual Property

CA – Ann Cavoukian Launches Global Council on PbD Standards

Ann Cavoukian, former Ontario, Canada information and privacy commissioner, will form a new international council to advocate and set standards for privacy by design. The International Council on Global Privacy and Security: By Design will work with companies, national privacy commissioners and technology professionals to educate the public and raise awareness for privacy by design. Cavoukian set out three goals for the council:

  •  educate politicians, businesses, government, media and the public that systems can and must be engineered to protect both privacy and security;
  •  create policy templates that can show how privacy can be applied to technologies in the digital age; and
  •  foster technology innovation in academic institutions around the world to foster privacy and public safety, as well as privacy and business interests, such as big data and data analytics, without sacrificing either privacy or security. [Source]

Internet / WWW

WW – Study: Facebook, Google own top-used third parties

Google and Facebook-owned third parties are among the top-used on the Internet’s most-viewed sites, a new study from the Princeton Web Census shows. “Google owns seven of the 10 most loaded third-party domains,” the report states, adding Google Analytics was by far the most popular. “The remaining three are all owned by Facebook.” While the study found the amount of third parties a typical Internet user would engage with is “relatively small,” new websites are among those with the highest number of trackers. “Since many of these sites provide articles for free and lack an external funding source [these sites] are pressured to monetize page views with significantly more advertising,” the study states. [Full Story]

Law Enforcement

US – National Institute of Justice to Review Body Worn Cameras, Seeks Input
The National Institute of Justice (“NIJ”) is soliciting information in support of the upcoming National Criminal Justice Technology Research, Test, and Evaluation Center (NIJ RT&E Center) “Market Survey of Body Worn Camera (BWC) Technologies”; input is due May 31, 2016. [Source]


WW – Study: Just 8 Tweets Can Reveal Precise Location

MIT and Oxford University researchers say with just eight tweets, “a relatively low-tech snooper” can deduce a user’s whereabouts using location stamps. A paper presented by researchers Ilaria Liccardi, Alfie Abdul-Rahman and Min Chen at a recent conference says while Twitter’s location notation is opt-in, many users reportedly engage the services. “With this study, what we wanted to show is that when you send location data as a secondary piece of information, it is extremely simple for people with very little technical knowledge to find out where you work or live,” Liccardi said. Their work was a part of MIT’s Internet Policy Research Initiative, a program geared toward increasing social media privacy awareness. [MIT News]

Online Privacy

WW – Researchers Publish Information on Nearly 70,000 OkCupid Users

Nearly 70,000 OkCupid users had their data published by researchers, including their usernames, location, sexual turn-ons and sexual orientation. Two Danish researchers, Emil O. W. Kirkegaard and Julius D. Bjerrekær, collected the data from the dating website using a scraper, a tool saving certain segments of a Web page. The scraper targeted random profiles who had answered numerous OkCupid multiple-choice questions. While the researchers’ actions were legal, criticism has been levied at the project. Scott B. Weingart, digital humanities specialist at Carnegie Mellon University, said in a tweet he could use the information to re-identify the actual identities of OkCupid users. Weingart claimed he could with 90 percent accuracy connect sexual preferences and histories to real names of over 10,000 of the OkCupid users. [MotherBoard]

WW – OKCupid Study Raises New Questions About ‘Public’ Data

When you sign up for a dating website, you are making your information available for other users to see. But does that mean your information is “public”? Experts are now mulling this question after a group of researchers released a data set of nearly 70,000 users from the online dating site OkCupid. The researchers used a “scraper,” or a browser extension designed to collect data from web pages, to collect the data. In other words, they collected the data without OkCupid’s permission, breaking the site’s terms of usage and the Computer Fraud and Abuse Act. The data was uploaded on Open Science Framework, an online forum that encourages researchers to share data for easy collaborations, but it has since been removed. The scraped data revealed many user details including name, age, gender, religion, and detailed information about users’ habits and preferences. When asked whether the researchers took measures to anonymize the data, Mr. Kirkegaard, the lead researcher responded, “No. Data is already public… All the data found in the dataset are or were already publicly available, so releasing this dataset merely presents it in a more useful form.” But even if the data is available to other users, should it be shared publicly? Some experts don’t think so. While OkCupid lets registered users view profiles of other users on the site, that doesn’t justify anyone releasing this information to the public, they say. In this case, the researchers breached the ethics of Social Science Research, which requires researchers to obtain consent from subjects as well as ensure that researchers are maintaining confidentiality before they can publicly share personal information. The OkCupid profiles include very personal information on everything from political views to sexual habits. OkCupid asks its users hundreds of questions to help its algorithm generate better matches. Though the researchers didn’t release real names with the data, just profile user names, that is not considered maintaining confidentiality, say experts. One Twitter user claimed that he could link some bits of data to actual names of more than 10,000 users on OkCupid. [The Christian Science Monitor] See also: [OkCupid Study Reveals the Perils of Big-Data Science]

WW – Study: 16% of Apps Access Info Sans Consent

Deloitte published its annual privacy index 10 May, which found that of 88 brands’ apps, from various industries in Australia, 16% accessed users’ phone data without notifying them. The surveyed brands were not named, although Deloitte’s Tommy Viljoenhen called them among “the most trusted.” He added, “What’s happening with the brands we don’t know about? As consumers, are we even aware of the extent to which information is being collected without our knowledge?” [Mashable]

Other Jurisdictions

US – Report: Schools ‘Soft Targets’ for Data Collection

A new report details how schools are “soft targets” for companies looking to obtain data and market to children. “Learning to be Watched: Surveillance Culture at School,” from the National Center for Education Policy at the University of Colorado at Boulder, discusses how student privacy has been compromised by organizations creating relationships with schools, often through free technology. The report also discusses how laws created to protect student privacy, including the Children’s Online Privacy Protection Act, have major weaknesses. “Schools have proven to be a soft target for data gathering and marketing. Not only are they eager to adopt technology that promises better learning, but their lack of resources makes them susceptible to offers of free technology, free programs and activities, free educational materials, and help with fundraising,” the report said. [The Washington Post]

Privacy (US)

US – SCOTUS on Spokeo: Life Just Got Harder for Class-Action Lawyers As Court Rejects ‘No-Injury’ Cases

Plaintiff lawyers who have built a lucrative business over the past few decades suing companies over minor legal breaches that arguably harmed no one may have a tougher time bringing cases following the U.S. Supreme Court’s decision in Spokeo v. Robins, requiring plaintiffs to plead a “concrete” injury to proceed in federal court. The decision wasn’t a complete win for corporate defendants as the court left plenty of room for creative lawyers to craft complaints that allege their clients suffered an injury, no matter how small, from miscues like data breaches or incorrectly worded mortgage documents. But by stating clearly that some injury is required under Article III of the Constitution, the court may have ended the long-profitable business of suing companies over nothing more than statutory damages provided under laws like the anti-robocalling Telephone Consumer Protection Act. Spokeo was sued by Thomas Robins, who claimed the online information site inflated his education credentials and made other errors that may have caused him to have a harder time finding a job. I say “may have,” since it is extremely unlikely any potential employers actually looked at his entry on Spokeo and Robins didn’t provide any evidence supporting the idea he was harmed. [Forbes] See also: [Brace for more class action challenges post-Spokeo]

US – EFF Releases Annual Report

The Electronic Frontier Foundation released its 2015 annual report, covering all of the work the organization has achieved during the past year. The group celebrated more than 500,000 installations of its Privacy Badger browser extension and the two-millionth certificate of its Let’s Encrypt service. The EFF also touted major activism and law efforts it has completed in the past year. “We fight to make sure people have access to the speech platforms and privacy tools that help them take control of their world,” said EFF Executive Director Cindy Cohn, adding, “Based in part on our near decade of activism and legal work, Congress also passed the USA Freedom Act, the first real restrictions and oversight imposed on the NSA’s surveillance powers since 1978.” [Full Story]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Acronis Applying Blockchain to Data Protection Problems

Acronis has announced a new strategic initiative to develop applications of Blockchain technology for data protection. The company announced the initiative at its 2016 VIP Partner Summit held in Singapore this week. Acronis is taking a unique and targeted approach at how Blockchain can be used to solve specific data protection problems by seeking and developing use cases that exist today. Data and transactions that are protected from tampering by Blockchain can be used for those use cases where individuals or businesses absolutely must maintain the integrity of the original information. [Source] See also: [IBM Touts Blockchain to National Cyber Security Commission]


WW – Almost Half of Companies Don’t Teach Staff Data Security

44% of companies do not think it should be compulsory for staff to be trained around data security, even though they have formal data protection processes in place. This is despite the security firm finding more than 22% of IT professionals have shared confidential information using an unsecure file sharing platform such as Google Drive, OneDrive or Dropbox, while 10% said they have shared data with people outside the company. Employees are also no strangers to data loss. 13% of the 2,000 IT professionals questioned admitted they have lost data while at work and 5% said they have experienced a data breach. Egnyte also explained that 14% of staff had opened an unsecure link that had been sent to their work email and 12% had used a public Wi-Fi network to work on confidential documents. “File sharing technology is sound from a security perspective… The root cause of mishaps is simply lack of awareness. With conscious effort to educate end users, enterprises can secure their data at little real cost. “Additional measures as simple as creating a checklist of content protection recommendations and making it readily available to employees, or integrating content management best practices into onboarding, can move the needle.” [Source]


US – Privacy Groups, Industry Agree to Best Practices for Drone Use

Stakeholders taking part in the National Telecommunications & Information Administration Multi-Stakeholder process have agreed to a set of best practices for drones. The practices are designed to provide flexibility for drone use, especially for smaller operators, while providing strong privacy standards. Groups agreeing to the practices include Amazon, the Software & Information Industry Association, and the Consumer Technology Association. “These standards will help ensure these technologies are deployed with privacy in mind,” said Future of Privacy Forum CEO Jules Polonetsky,. In a blog post, Center for Democracy & Technology Vice President of Policy Chris Calabrese said, “As the nascent drone industry is starting to take-off, adopting these best practices will help ensure that drones fly safely, ethically and respectfully.” [FPF]

US – CDT, Fitbit Collaborate On Best R&D Privacy Practices for Wearables

The Center for Democracy & Technology joined forces with Fitbit to release a report detailing the best privacy practices for research and development teams working in wearable technologies. Together with Fitbit, the CDT conducted interviews, surveys and other research to assess industry trends and best practices. “R&D teams in wearable technology can and should also be laboratories of privacy and ethical research best practices,” wrote CDT and Fitbit. The paper also offers “practical guidance on privacy-protective and ethical internal research procedures at wearable technology companies,” they add. Other key takeaways include the need for a culture of privacy, security and ethics in R&D, successful management of many different forms of trust with consumers, and the need for policies and procedures for handling ethical questions on R&D teams. [Full Story]

Telecom / TV

US – Tracking Apps Raise Security, Privacy and Legality Questions: GAO

Tracking apps can be useful in a variety of ways, such as, letting consenting spouses know each other’s locations. However, location data from mobile devices can be highly personal …”GAO found that some federal laws apply or potentially apply to smartphone tracking apps, particularly those that surreptitiously intercept communications such as e-mails or texts, but may not apply to some instances involving surreptitiously tracking location. Statutes that may be applicable to surreptitious tracking apps, depending on the circumstances of their sale or use, are statutes related to wiretapping, unfair or deceptive trade practices, computer fraud, and stalking. [Experts the GAO interviewed] also expressed concerns over what they perceived to be limited enforcement of laws related to tracking apps and stalking,” the GAO stated. [Network World]

US Legislation

US – Legislative Roundup

Workplace Privacy

US – FTC Releases FCRA Guidance

The FTC has published new guidance to assist employment background checking agencies with Fair Credit Reporting Act compliance, the agency announced in a statement. The guidance is primarily concerned with showing companies what work would qualify them as a consumer reporting agency and, given that, what their legal obligations may be. [FTC]

US – Social Media Posts Now Fair Game for Security-Clearance Applications

Director of National Intelligence James Clapper released a policy May 13 that confirms federal agencies will begin using public information from social media sites when looking at security clearance applications. Information the government finds irrelevant will be deleted from their servers, the report states. Some lawmakers expressed concern. “How do we flag the serious from the trivia?” asked Rep. Gerry Connolly, D-Va. “How do we make sure we don’t have some enormous depository of government information” that is held? [The Washington Post]

US – Workplace Monitoring Gets Easier Under New Law

“Companies that monitor their employees’ emails or Internet activity now have new protections from potential allegations of wiretap violations: Under the Cybersecurity Act of 2015, companies enjoy liability protection for the monitoring of their information systems for ‘cybersecurity purposes.’” “The act’s inclusion of liability protections for cybersecurity activities to safeguard theconfidentiality of information suggests that monitoring in order to protect trade secrets and intellectual property could receive liability relief in addition to monitoring for general network security.” [Full Story]

CA – Suncor Wins Legal Round for Random Oilsands Drug Testing

A Court of Queen’s Bench judge has quashed a 2014 arbitration panel ruling that determined the proposed testing plan would violate the privacy of union workers represented by Unifor. Justice Blair Nixon said the panel should have considered evidence about alcohol and drug incidents involving all workers at Suncor, including non-union contract employees. “By focusing only on the bargaining unit, the majority (of the panel) expressly excluded consideration of relevant evidence,” Nixon wrote. “The majority ignored evidence pertaining to some two-thirds of the individuals working in the oilsands operation.” [Source]



7-11 May 2016


US – Federal Judge Says Facebook Photo-Tagging Suit Can Continue

A San Francisco federal judge is allowing a case against Facebook’s facial recognition, photo-tagging feature to proceed. Plaintiffs have argued the feature violates users’ privacy, as the facial recognition technology goes against Illinois’ Biometric Information Privacy Act, which requires companies to obtain explicit consent from users before gathering biometric data. While Facebook argued the feature is covered in its terms of service, and that the suit should be dismissed, U.S. District Judge James Donato disagreed. “Trying to cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology,” Donato wrote in his ruling. [USA Today] See also: [Facial-recognition tech used for anti-theft initiatives] and [Italy’s Data Protection Authority has mandated that Facebook disclose details of an instance of trolling in a case where the user claims the social network responded unsatisfactorily, International Business Times reports]

EU – EU Proposes Minority Report-Style Facial Recognition for Refugees 

In its attempts to bring the refugee crisis to heel, the European Commission wants to expand its fingerprint database, introduce facial recognition software, store the information for even longer than before and include minors in the process. The EU is planning wholesale changes to the bloc’s asylum law. In addition to a “fairer” distribution system for refugees and an extension of border controls within the Schengen area, the Eurodac fingerprint database, which is currently used to identify asylum seekers and irregular migrants, is to be enlarged. The system is set to be supplemented with facial recognition software and personal data will be stored for a longer period of time, with the aim of ensuring that irregular migrants stay on the authorities’ radar; the information of underage refugees will also be kept. The upgrade will cost some E30 million. [Source]

US – Illinois Anger Over Elementary School Student Thumbprint Scanner

Privacy advocates are concerned about what looks to them like Big Brother overreach in an Illinois elementary school. The Harrison Street Elementary School in Geneva has installed a new thumbprint scanner for students to pay for their meals and keep track of their accounts. The thumb scanners replaced another biometric device by PushCoin Inc. that the school used last year. These types of devices are growing in popularity and other districts are looking to implement the scanners. But not everyone thinks they are a good idea. Parents are able to opt out and use a card if they want to. [Source] [Daily Herald]


CA – OIPC SK Releases Guidance Regarding Access to Personal Information of a Child Under the Age of 18

The Office of the Saskatchewan Information and Privacy Commissioner has released guidance relating to obtaining personal information of a child under the age of 18 years: Included is a list of common questions and responses. Unless otherwise ordered by a Court or a custodial agreement, the Children’s Law Act, FOIP, LA FOIP and HIPA confer the right or power of a legal custodian to request access to personal information of a child under the age of 18; trustees need to exercise discretion when determining if the disclosure is reasonable or will constitute as an invasion of the child’s privacy, such as when the child expresses they don’t want a parent to know or if the information is highly sensitive. [Office of the Saskatchewan Information and Privacy Commissioner – Who Signs for a Child?]


NZ – Privacy Commissioner Survey Finds Privacy a Major Concern

New Zealanders are becoming increasingly worried about their privacy, according to a new survey. In the new UMR public opinion survey, commissioned by the Privacy Commissioner, 46% of the 751 people questioned said they were growing more worried about individual privacy, and their online information in particular. That is especially the case for young people and those with a university education. Privacy Commissioner John Edwards said there was a high level of concern about identity theft as well as financial and health information. About 80% of those surveyed were worried about identity theft and their credit card and banking details being stolen. Nearly all respondents – 87% – were concerned about the personal information children upload to the internet. The survey also found that 62% felt personal data should not be shared between government organisations, as the risk to people’s privacy and security outweighed the benefits. But they were more open to data sharing when safeguards were put in place, with a small majority willing to share data as long as they could opt out if they chose, of if there were strict controls on who could access the data and how it was used. [Source] [Survey]

WW – Snowden’s Surveillance Leaks Made People Less Likely to Read About Surveillance

A new Oxford University study has published empirical evidence showing that government mass surveillance programs like those exposed by Edward Snowden make us significantly less likely to read about surveillance and other national security-related topics online. The study looks at Wikipedia traffic before and after Snowden’s surveillance revelations to offer some new insight into the phenomenon of “chilling effects,” which privacy advocates frequently cite as a damaging consequence of unchecked government surveillance. What it found is that traffic on “privacy-sensitive” articles dropped significantly following what author Jon Penney describes as an “exogenous shock” caused by revelations of the NSA’s mass surveillance programs and the resulting media coverage. The articles were chosen based on keywords from a list of terms flagged by the Department of Homeland Security, used for monitoring social media for terrorism and “suspicious” activity. For example, Wikipedia articles containing the 48 terrorism-related terms the DHS identified—including “al-Qaeda,” “carbomb” and “Taliban”—saw their traffic drop by 20%. The results also mirror a similar MIT study from last year which found that users were less likely to run Google searches containing privacy and national security-related terms that might make them suspicious in the eyes of the government. Perhaps even more alarmingly, the study seems to show a long-term drop in article views on these topics that lasts well past the initial shock of Snowden’s revelations, suggesting that people’s’ calculations about what to read on Wikipedia may have been permanently affected. [Source]


US – Former Officer Is Jailed Months Without Charges, Over Encrypted Drives  

A former police sergeant has been held without charges in a federal detention cell in Philadelphia, part of an effort by the authorities to pressure him to decrypt two computer hard drives believed to contain child pornography. The case reveals yet another battle line for law enforcement and digital privacy advocates over encryption, this time on an Apple computer, not an iPhone. The sergeant, Francis Rawls, was ordered by a federal court last August to hand over the two hard drives, which were seized from his home because they were suspected to contain the illegal pornography. When he refused to decrypt the drives, claiming he could not remember the passwords, he was taken into custody, and this week he started his eighth month in a federal detention center, all without ever being charged with a crime. Mr. Rawls’s case is the latest in a growing number of legal battles over digital privacy in the United States. The challenges are playing out in courts across the country, propelling a national debate over when the government can compel individuals or companies to disclose codes or passwords giving access to private data. “Not only is he presently being held without charges, but he has never in his life been charged with a crime,” Keith M. Donoghue, his federal public defender, wrote in a motion last week seeking his client’s release. [Source]

EU Developments

EU – GDPR, Directive 2016/680, PNR Officially Published

It’s finally final for three separate pieces of privacy legislation in the EU. On 4 May, the Official Journal of the European Union published the texts of the General Data Protection Regulation, officially Regulation 2016/679; Directive 2016/680, governing the handling of data in law enforcement situations; and the Passenger Name Record Directive, officially Directive 2016/681. This creates something of a countdown clock for privacy professionals. As the GDPR goes into effect two years and 20 days following its publishing in the Official Journal, 25 May 2018, takes on new portent. [Lex-Europea] See also: [The European Parliament is struggling to set a date for a plenary vote on the EU-U.S. Privacy Shield] [The US Supreme Court has updated Rule 41, allowing federal judges to issue warrants for computers outside of their jurisdiction, potentially threatening the EU-U.S. Privacy Shield.]

UK – Employers Vicariously Liable for Data Breaches Caused by Rogue Employees

In April 2016, the High Court of England and Wales issued its judgment in Axon v Ministry of Defence [2016] EWHC 787 (QB). The court emphasised (albeit obiter) the fact that employers can be liable for data breaches caused by rogue employees (in the present case, an employee who had passed on certain information to journalists without the permission of her employer). The impact of this decision on employers is potentially significant, and it serves as another reminder to employers to implement proper data protection processes and procedures, and to ensure that employees receive appropriate training on these issues. [Source] [PDF]

EU – CJEU to Rule on Test Data Case

The Supreme Court of Ireland has referred to the Court of Justice of the European Union to decide whether a man’s accounting exam is considered personal data under the Data Protection Act. After being denied access to his test by both his school and the Data Protection Commissioner, plaintiff Peter Nowak argued in the Circuit Court and then appealed to the High Court that his handwritten test qualified as biometric, and therefore personal data, the report states. He further argued that as exam results are “considered personal,” the test and exam comments ought to be too. [Independent]

Facts & Stats

WW – UNCTAD Publishes Report on Data Flows, International Trade

Late last month, the United Nations Conference on Trade and Development released a new study on privacy law, trans-border data flow and their implications on international trade and development. The in-depth and substantive report also places a focus on developing nations. “The study reviews the current landscape and analyzes possible options for making data protection policies internationally more compatible,” the report states. Contributors to the report include international organizations, government bodies, the private sector and civil society. “The findings of the study should help to inform the much needed multi-stakeholder dialogue on how to enhance international compatibility in the protection of data and privacy,” the report adds. [UNCTAD]


CA – BC Makes Changes to Freedom of Information Law

B.C. cabinet’s travel receipts, calendars to automatically be made public: Finance Minister Mike de Jong has issued a rare order under B.C.’s Freedom of Information law to ensure that travel receipts and daily calendars for cabinet ministers and their senior officials are automatically made public. The change was part of a series of directives issued by Mr. de Jong to respond to criticism that his government has deliberately thwarted the release of information to the public through the practice of triple-deleting e-mails within government and relying on oral reports to avoid the creation of documents that could be accessed. Vincent Gogolek, executive director of the BC FIPA, said Mr. de Jong’s changes are both minimal and long overdue. “They are not doing nothing, but they are doing the least possible,” Mr. Gogolek predicted one of Mr. de Jong’s new initiatives will be counterproductive. Starting this month, the government will publish all active access-to-information (FOI) requests, a measure that Mr. de Jong said will provide more transparency on government response times. However, Mr. Gogelek said the change could discourage access requests. “This is exposing FOI requesters. The privacy commissioner has asked for anonymity for those making information requests, and this seems to be going in the opposite direction.” [Source]

CA – B.C. Privacy Commissioner Mainly Positive Toward New FOI Policies

British Columbia’s Information and Privacy Commissioner is praising the province’s expansion of its Access-to-Information policies, but she’s also concerned about the potential “unintended consequences” of a decision to post information requests as they are received. Elizabeth Denham issued a statement on Tuesday that offered a largely positive assessment of the changes, which were announced a day earlier, but singled out the disclosure of Freedom-of-Information (FOI) requests as a potential concern. “I wish to examine all possible implications, including any unintended consequences, of publicly disclosing a description of an applicant’s request for records before they have received those records,” Ms. Denham said in her statement. [Source]

CA – OIPC BC Finds Ministry Properly Withheld Information Relating to Tolling Framework

The OIPC BC reconsidered Order F14-20, pursuant to a court order, where the Ministry of Transportation and Infrastructure refused to disclose information requested under the Freedom of Information and Protection of Privacy Act. Disclosure of the information would reveal the substance of the Ministry’s deliberations because it contained financial implications of the framework, and a presentation that formed the basis of the Priorities and Planning Committee’s deliberations; although the decision to impose a toll was made public and implemented, the information should not be disclosed because it related directly to the issues the Committee considered. OIPC BC – Order F16-22 – Ministry of Transportation and Infrastructure [Re-consideration Order – F16-22] [Original Order – F14-20]

US – ODNI Releases Documents as Part of FOIA Pilot Program

The US Office of the Director of National Intelligence released several documents as part of a pilot program with the Freedom of Information Act. The ODNI is one of seven federal agencies contributing to the program, with the goal of making FOIA record requests available to the public. During the program, the ODNI will announce the release of “proactive disclosures.” Among the first group of documents released include, “Unlocking the Secrets: How to Use the Intelligence Community“ and “Semiannual Report to the Director of National Intelligence – Office of the Inspector General of the Intelligence Community.” [Full Story]


CA – Looking for an ‘Internet of DNA’

The Star reports on calls by some researchers to create an “Internet of DNA” to help treat rare genetic diseases and psychological disorders. “If we’re looking to 2025, I see a kind of World Wide Web for health, a true Internet for health, which doesn’t exist today,” said Dr. Tom Hudson, a genomics researcher and president of the Ontario Institute for Cancer Research. “We are transforming a lot of information into digital bits and that information is huge,” he added. Such a DNA network could transform medicine and how diseases are cured, researchers argue. Currently, valuable medical data is contained in silos, “while legal, technical and cultural barriers prevent scientists from easily sharing their data troves,” the report states. “If nothing is done, there is a risk that balkanized systems will soon become established,” the Global Alliance’s website points out. [Full Story]

Health / Medical

CA – Northern Canadian Hospital Confirms Staff Wrongly Accessed Patient Records

Security experts emphasize that organizations have to limit access to databases with sensitive information. However, they also have to carefully design information systems themselves so sensitive data doesn’t appear on screens users have legitimate reasons to see. That appears to have failed at a health authority in Canada’s far north, which confirmed that employees inappropriately accessed patient health records through an online scheduling system in what appears to be a case of employee snooping. CBC News reported that some staff the Beaufort-Delta Health and Social Services Authority, which serves 6,700 residents of the Beaufort Delta Region in the Northwest Territories including the Inuvik Regional Hospital have been disciplined for wrongly accessing records of  67 patients. The information “had been inappropriately accessed by staff outside a legitimate scope of duties,” Arlene Jorgensen, CEO of the Inuvik Health Authority, was quoted as saying. The institution’s scheduling system includes expected information such as appointment times and check-out dates. But it also lists the reason patients were at the hospital. Several staff members who had accessed this information did not need it to do their jobs, according to the health authority. The authority emphasized that detailed information, such as diagnoses were not accessed during the breach. [Source]

CA – Ontario Appeals Board Finds Regulatory Committee Failed to Adequately Investigate Complaint Alleging Physician Inappropriately Accessed Patient Files

The Board reviewed the decision of the Inquiries, Complaints and Reports Committee of the College of Physicians and Surgeons regarding a complaint made against a physician. The regulatory committee failed to properly examine whether the access took place after the physician left a clinic, may have improperly concluded that the access was due to the nature of the filing system (computer logs may support a different conclusion), and failed to consider that the alleged breach is a serious matter under PHIPA; mandatory further investigation should include direct questioning of the physician, examining how the electronic filing system operates, and determining what system access is allowed a non-treating professional. [F.J.S., MD v. S.S.E., MD – 2016 CanLII (ON HPHARB) – Health Professions Appeal and Review Board]

CA – Ontario Appeal Board Upholds Verbal Caution to Pharmacist Regarding Confidentiality

the Health Professions Appeal and Review Board reviewed an investigation of the Inquiries, Complaints and Reports Committee of the Ontario College of Pharmacists, into a pharmacist’s solicitation of new business. The pharmacist obtained patient information from his previous employer and used it to establish clientele for his new business; the Committee found that this active solicitation of business was inappropriate, and warned the pharmacist that he must maintain patient confidentiality, not use patient information for improper purposes, demonstrate professionalism and ethical principles, and respect patients’ right of self-determination. [J.J. v G.C., 2016 CanLII 21553 (ON HPARB) – File#15-CRV-0181]

US – OCR Cautions Hospitals to Prepare for Breaches at Business Associates

With many healthcare organizations questioning their data security arrangements with business partners, the Office of Civil Rights (OCR) of the Department of Health and Human Services, sent out an alert suggesting steps to mitigate damage from breaches resulting from those associations. The alert OCR sent last week said that following the 2015 hack of U.S. Office of Personnel Management (OPM), many healthcare organizations believe the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have not stopped breaches and have not allayed their fears. “Not only do a large percentage of HIPAA covered entities believe they will not be notified of security breaches or cyberattacks by their HIPAA business associates, they also think it is difficult to manage security incidents involving business associates, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach,” the alert said. As a result, HIPAA-covered organizations and their HIPAA business associates should consider how they will confront a breach at their business associates or subcontractors. [Source] See also: [Ontario’s legislature has passed the Health Information Protection Act in its third reading. The act aims to improve privacy, accountability and transparency in health care, according to a news release]

US – Brookings Calls Out OCR on HIPAA Audits, Offers Security Tips for Healthcare Organizations  

With the healthcare industry suddenly accounting for nearly 25% of all data breaches, a new study from The Brookings Institution suggests some new cybersecurity strategies are needed. Niam Yaraghi, a Brookings fellow, conducted in-depth interviews with 22 healthcare organizations – providers, payers and business associates – that had each experienced at least one  data breach. He found some things in common across them, and some differences. But his biggest takeaway was that guidance and enforcement from the federal government isn’t doing enough to keep patient data safe, and that a more concerted private-sector strategy is needed to help ensure security best practices. In his report, “Hackers, phishers, and disappearing thumb drives: Lessons learned from major healthcare data breaches,” Yaraghi offered a series of suggestions for both the HHS Office of Civil Rights and those working in the healthcare trenches. [Source] See also: [Status report: OCR’s effort to guide HIPAA compliance in mobile health] [Earlier HIPAA Audits Help Healthcare Data Breach Prevention]

Horror Stories

CA – Two Convicted of Snooping on Rob Ford

An Ontario court has convicted two health care workers for unauthorized access to the late mayor Rob Ford’s medical records, the first such conviction under the province’s health privacy law. Both workers pleaded guilty under PHIPA to “willfully collecting, using or disclosing personal health information,” the report states. The former employees have also each been fined $2,505 for the incident. There is no evidence the workers shared the health records they accessed. [The Star] SEE ALSO College of Nurses of Ontario disciplines nurse who snooped into patient records. Mandy Gayle Edgerton – Results of Past Hearings – College of Nurses of Ontario Results of Past Hearings | Toronto Star ]

UK – London HIV Clinic Fined £180,000 for ‘Serious’ Data Breach

A London HIV clinic that leaked data on 781 of its patients has been fined £180,000. 56 Dean Street, based in London’s Soho, sent an email newsletter with all patient email addresses in the ‘To’ field, rather than the ‘Bcc’ field. The email addresses allowed for the identification of the patients – 730 of the 781 contained people’s full names – and constituted a “serious breach” of data protection rules, the Information Commissioner’s Office (ICO) said. The Option E newsletter was intended for people using the clinic’s sexual health services and gave general details for treatment and support. The ICO said the breach was “likely to have caused substantial distress” to those who were included on the list. Under data protection rules, information about a person’s health or sexual life is deemed as sensitive and the organisation issued the monetary penalty after an investigation. “It is clear that this breach caused a great deal of upset to the people affected,” Information Commissioner Chris Graham said in a statement. “We recalled/deleted the email as soon as we realised what happened. If it is still in your inbox please The NHS Trust can appeal the decision but if it decides to pay the fine before June 2 it will be reduced to £144,000. Medical director and caldicott guardian Zoe Penn, from the clinic, said that it “fully accept[s]” the decision of the ICO and that the organisation had made changes to its procedures. [Source]

Internet / WWW

WW – Twitter Bans US Spying Agencies from Terrorism Early Alert Service

In the growing fury over terrorism, surveillance and privacy, Twitter has shoved the US government further away by closing down US spy agencies’ access to a data-mining service that spots terror attacks. The company hadn’t announced the news as of Monday morning. Rather, a senior official in the intelligence community, along with others privy to the matter, told the Wall Street Journal about it. The service in question is Dataminr: a real-time information discovery service that analyzes the output of Twitter’s firehose of real-time public tweets, geolocation data, traffic data, news wires and other data streams, to turn up breaking news such as natural disasters, political unrest and terror attacks. [Source]

Law Enforcement

US – Digital Rights Group Challenges Legality of ‘Thematic Warrants’

Privacy International has filed a judicial review challenging a decision regarding the sanctioned use of “thematic warrants.” The digital rights group sent the review to the U.K. High Court, appealing an earlier decision by an oversight tribunal of the security agencies in the U.K. over the use of the warrants. Privacy International is arguing the legality of the “thematic warrants” — orders giving the government major invasive investigatory powers covering wide classes of people and property. The group first challenged the use of the warrants in 2014, saying they violate Articles 8 and 10 of the European Convention on Human Rights. In related news, the Guardian reports on another privacy advocacy group using an interesting face to don on their campaign against the Investigatory Powers Bill: North Korean leader Kim Jong-un. [TechCrunch]

US – New Hampshire State Claims that Secret Recording of Police Is a Crime

New Hampshire outlaws recording conversations when any party to the conversation “has a reasonable expectation that the communication is not subject to interception, under circumstances justifying such expectation,” thus requiring the knowledge of all parties before such a conversation can be recorded. Most states require only “one-party consent,” under which you can record a conversation to which you are a party, because you consent to the recording, even if the others don’t. But some states — including New Hampshire — require “all-party consent,” or at least all-party knowledge, that the conversation is being recorded. And New Hampshire authorities read this as applying even when someone is recording his conversation with the police. Indeed, Alfredo Valentin is under indictment for recording such a conversation, between himself and the police officers who were searching his home. The U.S. Court of Appeals for the 1st Circuit, which is in charge of cases from New Hampshire, has held (Glik v. Cunniffe) that a similar Massachusetts law violates the First Amendment; but that case involved someone openly recording the police, and the court stressed that fact in the Fourth Amendment portion of the Glik opinion. New Hampshire authorities appear to take the view that secret recording of the police can be banned, even if open recording cannot be. [Source] See also: [New Jersey Governor Chris Christie has approved a bill making it illegal to surreptitiously record or photograph a person’s undergarments.]

Privacy (US)

US – FTC and FCC Join Forces to Examine Mobile Security

The FTC and the FCC are working together to examine the current state of mobile security. The FTC is issuing orders to eight mobile device manufacturers, requiring them to give the agency information on their procedures for issuing security updates to remedy device vulnerabilities. Among the companies receiving orders include Apple, Google, Microsoft and Samsung. The eight companies must provide details such as “the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device” and “detailed data on the specific mobile devices they have offered for sale to consumers since August 2013.” The FCC issued a press release announcing their cooperation with the FTC, and how they will send letters to mobile companies on how they evaluate and deliver security updates. [FTC] See also: [The Senate Judiciary Committee’s subcommittee on Privacy, Technology and the Law will host a May 11 hearing on the Federal Communications Commission’s proposed privacy rules] and [The New Privacy Cop Patrolling the Internet And it’s armed with new data-privacy rules]

US – Neopets, Global Email Addresses Among this Week’s Biggest Breaches

A dataset from JumpStart’s online game Neopets was posted online, with Motherboard reporting that the number of customers affected allegedly numbered more than 70 million. The information compromised varied from customer to customer, but no credit card or home addresses were breached, said JumpStart’s Jim Czulewicz. While the dataset appeared to be dated before JumpStart acquired Neopets in 2014, the company planned to alert customers regardless. reports that out of the recent global breach of more than 272.3 million email accounts, an estimated 42,000 accounts are Irish. [NextGov]

US – Lyft, Uber Among EFF Data-Sharing Report Top Scorers

The Electronic Frontier Foundation awarded Uber and Lyft with perfect scores on the group’s sharing economy data protection study. When grading organizations, the EFF considered whether they published transparency reports and if companies required government agencies to provide a warrant before they shared user data, the report states. “Consumers should be able to understand their privacy rights by reading the policies of the companies that hold their data,” EFF’s study states. [Fortune]

WW – Bark Helps Parents Keep Kids Safe Online Without Invading Their Privacy

Launching today at TechCrunch Disrupt NY 2016 is a new service called Bark, aimed at parents who want to keep their kids safe online. Unlike traditional “parental control” software or net nanny-type watchdog applications, Bark’s goal is to strike the correct balance between respecting a child’s right to privacy and protecting them from online predators and cyberbullying, while also looking out for issues like sexting or mental health concerns. To use the service, parents sign up online at the Bark website, add their kids, then work with the children to connect their social accounts. Once set up and configured, Bark uses machine learning techniques to look for incidents of dangerous activity, whether that’s cyberbullying, sexting, a child interacting with an older stranger who could be grooming them (as online predators do) or even signals that the child could be experiencing a mental health concern like depression or suicidal thoughts. When Bark finds something questionable, it sends an alert to the parent that not only contains the relevant conversation, when and where it took place, but also recommended ways of handling the issue appropriately. Bark competes with a handful of other solutions, including VISR, more traditional software programs and cyberbullying-specific solutions like ReThink or STOPit. [Source]


WW – Stop Resetting Your Passwords, Says UK Govt’s Spy Network

The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. “In 2015, we explicitly advised against [the practice],” a post by GCHQ’s Communications-Electronics Security Group (CESG) notes. “This article explains why we made this unexpected recommendation, and why we think it’s the right way forward.” As tech advice goes, this is one that people will actually want to hear, and the CESG has put out a 16-page document called “Simplifying Your Approach” that explains what you should do to get your information secure without driving your users crazy. Those in favor of automatically and regularly resetting passwords believe it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers. “The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember.” The problem is our rubbish brains: “While we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.” The result, according to CESG, is that we are more likely to write our password down. Or forget the password altogether, forcing service desks to reset them, chewing up time and resources. As a result, CESG “now recommend organisations do not force regular password expiry.” Instead, it says, companies should introduce system monitoring tools such as showing a user the last time they logged in to flag if someone else is using their account. [Source] See also: [Don’t do it! 5 ways to upgrade your passwords this PasswordDay]

WW – Security Defenses Improving at Many Firms, Study Reveals 

Many organizations have made significant improvements in IT security preparedness and effectiveness, taking steps to improve their security posture, according to new research from SolarWinds, a provider of IT management software. The company’s survey of IT professionals in North America showed that more than half (55%) said their organizations did not experience any security breaches in 2015. About 30% said they had experienced a breach. Half of the respondents said their organizations were less vulnerable than they were a year ago, compared with 12% who said they are more vulnerable. “The most surprising finding of the survey is just how many organizations are less vulnerable today than they were a year ago, and, on a related note, how many have implemented security technologies and better security training,” said SolarWinds. [2016 IT Security Survey, North America] [Source] See also: [Microsoft has published the 20th edition of its Security Intelligence Report covering the period July 2015 to December 2015]


US – Justice Department Building Wearable Camera Catalog for Police

The Justice Department is crafting a catalog to assist police departments buying wearable cameras, including information on the devices’ privacy capabilities. Fears surrounding hackers infiltrating body cameras will be addressed in the catalog, with data protection and privacy controls among the characteristics listed in the guide. Each device will have five areas of information to properly inform departments of what they are purchasing, covering vendor, camera, video storage software, ease of use, and installation. Included within those five categories are details on facial recognition, “privacy masking” to blur out certain images and protect personal privacy, and encryption features to protect data from cyberattacks. Sheila Jerusalem, a spokeswoman for the Justice Department’s National Institute of Justice, said the organization wants the guide available by December 2016. [Nextgov]

US Legislation

US – California Bill Would Dictate What Happens to Digital Footprint Post-Death

A new California bill could set a national precedent for the handling of an individual’s digital footprint after they pass away, Fusion reports. The Revised Uniform Fiduciary Access to Digital Assets Act would create rules for how companies can share a deceased person’s digital records. The rules first defer to the late party’s directions for how those records would be handled, then look toward a will. If no instructions have been left, all decisions will be made by the site’s terms of service. Despite revisions being made to the bill, privacy advocates are still concerned. “Is it possible that they might make mistakes both by releasing too much information or releasing it to the wrong person?” said Kevin Baker, legislative director for the ACLU of Northern California. “We think the history of the treatment of digital records shows that there likely will be mistakes.” [Full Story]



26 April – 05 May 2015


US – FBI Seeks Privacy Act Exemptions for Its Biometric Database

Seeking to avoid compromising law enforcement investigations, the FBI wants to prevent individuals from discovering if their information is contained within the agency’s biometric database. The Justice Department will propose the FBI’s “Next Generation Identification System“ be withheld from provisions of the Privacy Act. The NGIS gathers information on individuals, including palm prints, fingerprints, iris scans and facial photographs. The FBI fears that letting individuals know if their information is within the database could affect law enforcement investigations by undermining “national security efforts,” or possibly revealing a “sensitive investigative technique.” The Electronic Privacy Information Center’s Jeramie Scott said, “If you have no ability to access the record the FBI has on you, even when you’re not part of an investigation … and lo and behold inaccurate information forms ‘a pattern of activity’ that then subjects you to [be] the focus of the FBI, then that’s a problem.” [Nextgov]

RU – Facial Recognition App An ‘Unmitigated Privacy Disaster’

FindFace, a facial recognition app, has caused a stir within Russia, and its creators are working to halt malicious use. While the app has been used to take pictures of subway riders and locate them on Vkontakte, Russia’s version of Facebook, others have used it for more nefarious purposes, including outing Russian porn stars. Maxim Perlin, the founder of FindFace, said the company is “making every effort to protect all Vkontakte users from potential malicious acts,” but it’s difficult to stop the bad behavior. FindFace’s power comes from NTechLab, the company developing the facial recognition technology used by the app. NTechLab won the University of Washington’s face recognition challenge, beating out Google’s FaceNet program, by identifying 73% of individuals in a set of 500,000 images. [Fusion] [Facial Recognition Used to Strip Sex Workers of Anonymity]

US – Lunchroom Print Scanners Problematic?

Biometric company PushCoin and its lunch line fingerprint scanners have proponents lauding their convenience, but civil libertarians warn their growing preeminence may adversely dilute privacy attitudes. “I think it undermines the notion of really thinking about the importance of your biometrics as a matter of privacy,” said an ACLU spokesman. “I think in this age, when so much is available and so much is accessible online about us and there is all of this information that floats out there, to begin to include in this one’s biometrics, it really does raise some legitimate concerns.” [Daily Herald]


CA – Privacy Important to Business but Many Lack Privacy Basics: OPC Survey

While it is encouraging that businesses are increasingly using more tools to protect personal information, according to a recent survey, there is still room for improvement when it comes to meeting privacy obligations and preparing for soon to be in force mandatory breach requirements. These were among the findings revealed in the Office of the Privacy Commissioner’s (OPC) biannual telephone survey of 1,016 Canadian businesses. The survey seeks to examine the privacy awareness and practices of Canadian businesses. The findings come ahead of the coming into force of mandatory data breach obligations under federal privacy law. The survey showed some positive developments in certain areas. For example, 41% are “concerned” about suffering a potential data breach (up from 31% in 2013). The OPC was also encouraged to see that an increasing percentage (83%, up from 78 % in 2013) said their business uses technological tools, such as passwords, firewalls and encryption to protect customer personal information. The survey, however, revealed limited movement in other areas. For example, only 41% (up slightly from 37% in 2013) have policies and procedures in place to deal with a breach. In addition, less than half said they have privacy policies to inform customers about the personal information they collect and how it is used. The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website at [Source]

CA – Canadian Spy Agency CSE Won’t Reveal Number of Privacy Breaches

The Communications Security Establishment is refusing to release the number of privacy breaches the agency has logged since 2007. Documents obtained by the Star state the intelligence and cyber defence agency has maintained a central database for certain privacy violations since 2007. These breaches are categorized as minor “procedural errors” or more serious “privacy incidents,” and reviewed by the CSE Commissioner’s office every year. The Star requested just the number of breaches — no details about what actually transpired or the Canadian personal information involved — but was told the agency could not comply due to “operational security concerns.” “Releasing the number of (breaches) would provide insight into CSE’s capacity to conduct operations, the extent of its capabilities, the degree to which partner organizations benefit from sharing and the reach of the programs,” wrote spokesperson Ryan Foreman in an email last week. Documents tabled in Parliament last month show CSE logged 13 privacy and information breaches in 2015, affecting at least 630 individuals. The agency did not report any of the privacy breaches to the federal privacy commissioner, as CSE determined that there was “no significant risk” to the individuals involved. CSE further refused to report the activities that led to the breaches. The Star reported Sunday that the agency has been in a year-long debate with the Privacy Commissioner Daniel Therrien’s office over how much information CSE is required to report about privacy breaches. A government-wide regulation requires all serious breaches to be reported to the privacy watchdog, but a “discussion” about how best to do that has been dragging on since at least January 2015. On Monday, NDP foreign affairs critic Hélène Laverdière asked Defence Minister Harjit Sajjan to explain why CSE is resisting turning information over to Therrien’s office. “CSE has proactively worked with the commissioner on all aspects, and they do have a good working relationship,” said Sajjan, who is responsible for the intelligence agency. “CSE abides by Canadian law, including the Privacy Act.” [Star]

CA – OPC Funds Ten New Privacy Studies

This week, Canada’s Office of the Privacy Commissioner announced the research projects receiving funding in 2016-2017 under the annual OPC Contributions Program. They are:

  • Decision-Making and Privacy: How Youth Make Choices About Reputational and Data Privacy Online
  • Big Data Ethics Initiative: Assessment for Canadian Organizations
  • Understanding, Discovering and Asserting Personal Privacy Preferences: A Feasibility Study
  • E-Learning Courses on Anonymizing Data
  • Effects of Informal Online Regulatory Regimes on Privacy
  • The Peer Privacy Protectors Project: Innovative Youth-Led Privacy Education
  • Between Memory and Forgetting: Consumers and Digital Death
  • Cloud Atlas: A Citizen’s Guide to Online Privacy and Surveillance Using IXmaps
  • “Protect your Privacy—Online!” Educational Program
  • Left to their own Devices: Privacy Implications of Wearable Technology in Canadian Workplaces [Source]

CA – Children’s Aid Class Action Seeks $25 Million Damages from Hacking

A lawsuit is filed in Ontario court by an individual against county service organizations, a government minister, and others, alleging damages caused by a data breach. The PI of 285 clients was hacked and then posted on a social media site; causes of action include negligence, breach of fiduciary duty and confidence, negligent misrepresentation and intrusion upon seclusion (e.g. a failure to use adequate firewalls, encryption, and up-to-date security protocols and heed warnings about inadequate system security), a breach of Ontario’s FOI legislation (security was not appropriate to the sensitivity of the PI), and a breach of the Charter of Rights and Freedoms (operational negligence). [M.M. v. Family and Children’s Services of Lanark et al. – Statement of Claim – Ontario Superior Court of Justice] [Class action filed after privacy breach at one Ontario children’s aid office]

CA – Canada Considering Spying on Kids to Stop Cyberbullying

The Canadian government is looking for a person or organization to “conduct an evaluation of an innovative cyberbullying prevention or intervention initiative” in a “sample of school-aged children and youth,” according to a tender notice published by Public Safety Canada last week. Although nothing has been finalized, the government will consider letting the organization spy on kids’ digital communications to do it, Barry McKenna, the Public Safety procurement consultant in charge of the tender, said.  “The tender doesn’t preclude or necessarily require digital monitoring,” said McKenna. “But there are certainly products on the market that do that, and I would guess that that kind of intervention would be one of interest.” The school board overseeing the school used in the study would have to sign off on digital surveillance of kids, McKenna said, and so would Public Safety. McKenna would not disclose whether any person or organization has responded to the tender yet. The government has budgeted $60,000 for the program, the notice states. [Source]

CA – Rise of Private Surveillance Cameras Point to Legal Limbo

As more homeowners spread the reach of “Little Brother” by installing security cameras on their property, chances are images of their neighbours’ properties or the neighbours themselves could end up being recorded without their knowledge. And while provincial and federal privacy laws are designed to protect citizens from snooping by governments and businesses, they don’t apply to cameras on individuals’ private property. The Office of the Information and Privacy Commissioner for B.C. doesn’t have jurisdiction over homeowners who use security cameras or collect data for personal use, spokeswoman Michelle Mitchell said. But private citizens are using the camera or the data for commercial purposes would be subject to the provincial Personal Information Protection Act — “for example, if a homeowner who is also landlord has a CCTV camera that happens to capture images of a tenant,” Mitchell said. “It is not the type of device (i.e., CCTV system), or its location, but why the information is being collected, and what it is being used for, that determines whether our office has jurisdiction,” said Mitchell. [Source]


UK – Study Reveals Post-Snowden Surveillance Chilling Effect

A new study from Oxford University reveals empirical evidence that knowledge of government mass surveillance programs make the public less likely to read articles about surveillance and other related topics online. The study analyzed Wikipedia traffic before and after the June 2013 Snowden revelations and found evidence of “chilling effects.” Traffic on “privacy-sensitive” articles went down after the “exogenous shock” from the initial Snowden coverage. The articles chosen in the study were based on keywords that are flagged by the Department of Homeland Security for “suspicious” activity. “It means that the NSA/PRISM surveillance revelations … are associated in the findings not only with a sudden chilling effect, but also a longer term, possibly even permanent, decrease in Web traffic to the Wikipedia pages studied,” said the study’s author, Jon Penney. [Full Story]


US – Federal Government Accepted All 2015 Surveillance Requests

An as-of-yet unreleased Justice Department report disclosed that the Foreign Intelligence Surveillance Court received 1,457 communication surveillance warrants from federal law enforcement in 2015, approving all “entirely or in part.” While most of the requests were focused on foreigners’ data, one in five of the warrants were concerned with Americans, the report states. Meanwhile, Facebook indicated that 60 percent of its government-initiated data requests from 2015 prohibited the company from alerting their users, according to U.S. News & World Report. However, “Facebook does not provide any government with ‘back doors’ or direct access to people’s data,” said Facebook Deputy General Counsel Chris Sonderby. “If a request appears to be deficient or overly broad, we push back hard and will fight in court, if necessary.” [ZDNet]

Electronic Records

AU – My Health Record System A ‘Privacy Disaster Waiting to Happen’: APF

The Australian Privacy Foundation has major problems with the federal government’s My Health Record system, saying it’s a “privacy disaster waiting to happen.” The APF says the biggest problem with My Health Record is the amount of access its Medicare Call Centre’s employees have to the system’s data. While the government said it would provide a “clear and robust framework” for the call center in 2011, the APF said not enough has been done in the past five years. “This total failure to deliver on its promise and put in place much needed protections exposes patients to curious call centre operators whose prying and spying are unlikely to be detected,” said Dr. Bernard Robertson-Dunn, chair of the health committee at the APF. [Delimiter]

CA – Insurance Industry Needs to Keep Pace With Data Security

The Canadian life and health insurance industry is making good strides in moving ahead with electronic data exchange, but now needs to ensure that it is keeping pace with ongoing compliance and cyber security issues, a conference was told. Tana Sabatino, implementation services specialist at the Canadian Life Insurance EDI Standards (CLIEDIS), told the organization’s annual seminar in Toronto that its top goal for this year is to concentrate on getting reliable feeds from the advisor to the distributor and over to the carrier. CLIEDIS is the industry association that promotes using electronic data among key members of the life insurance industry, including advisors, managing general agencies (MGAs) and life insurance carriers. Part of that agenda calls for CLIEDIS to ensure data security among members by streamlining the amount of feeds a distributor needs to connect with carriers. Sabatino said there can’t be a situation in which every carrier has a different data stream agreement that each imposes on MGAs. “HUB [for example] isn’t going to implement 15 different security sets of requirements. They’re going to have one, because they have one set of systems.” [Source]


US – Man Jailed for Seven Months (and Counting) for Failure to Decrypt

An unidentified Pennsylvania man has been held in jail for seven months because he has refused to decrypt hard drives that authorities believe contain illicit images. He has not been charged, but is being held in custody because he was found to be in contempt of court for his refusal. The Electronic Frontier Foundation (EFF) has filed an amicus brief on the defendant’s behalf. [Ars Technica] [Electronic Frontier Foundation Amicus Brief] [Ars Technica]

EU Developments

UK – Government Refuses to Give SC Commish Powers He Didn’t Request

The government has refused to give the Surveillance Camera Commissioner (SCC) extra enforcement powers. The problem is that the SCC hadn’t asked for any more powers. In a very brief letter to SCC Tony Porter, the incumbent commissioner, junior Home Office minister Mike Penning said the government was “not yet convinced that granting your office enforcement and sanction powers would improve compliance.” Penning’s remarkably curt letter also informed Porter that he, Penning, would not be available to meet to discuss the SCC’s annual review of CCTV surveillance, which was published earlier this year. He also noted that the Protection of Freedoms Act 2012, which established the commissioner’s office, is “due for post-legislative scrutiny in 2017.” As we previously reported, speaking at an event hosted by the National Security Inspectorate, a non-governmental certification body on 10 March last year, Porter acknowledged that “one thing that has been levelled at the code and my role is that it lacks teeth. This is a fair comment I think. I don’t have any powers of sanction or inspection. So if a relevant authority is not paying due regard to the code of practice there is not much I can do.” Despite this criticism, in another letter to the minister Porter noted that Penning’s response was “confusing” as he “did not request any powers of enforcement or sanction in the Review.” Porter’s 20-page Review of the impact and operation of the Surveillance Camera Code of Practice was published in February. Penning’s brief letter did not respond to several of the issues raised in Porter’s review. The SCC stated that he was “disappointed that apart from recommendation three, there was no comment on any of the other recommendations.” [The Register]

EU – Commission’s Issues New Action Plan for Privacy Standards

On 19 April 2016 the European Commission published its Communication ‘ICT Standardisation Priorities for the Digital Single Market’. The Communication was part of the wider ‘Digitising European Industry’ announcement on 19 April – read our blog here for full details of what was announced. The ICT Priorities Communication thrusts into the limelight an obscure but vitally important area of policy: the setting of common technical specifications for ICT products and services, particularly those related to the ability of different devices to communicate with each other. According to the Communication, common standards that ensure interoperability between digital technologies are the foundation of an effective Digital Single Market. The Communication identifies numerous challenges faced by the current legal framework through which technical standard setting at a European level takes place. The Commission’s solution to these challenges is the adoption of a priority action plan set out in the Communication that comprises i) the identification of five priority ‘building block’ areas of the ICT sector in relation to which standardisation efforts are to be focused (5G, IoT, Cybersecurity, Cloud and Big Data); and ii) a high level political process to validate, monitor and, where necessary, adapt the list of priority areas. [Hogan Lovells]

EU – Other EU News


CA – Compromised Bank Cards Lead to Few Answers From Banks

The president of the Consumers’ Association of Canada is calling on banks to become more transparent and release information about what he feels is an increase in the number of compromised bank cards.

“We’ve seen an escalation in the last 12 months of compromised bank accounts, credit cards, debit cards and PINs,” Bruce Cran said. His organization has received “hundreds” of complaints, not only about initial compromises, but repeated compromises on the same account. He said some accounts were compromised as many as four times last year. “The mere volume of what’s happening at the moment indicates to us that there’s a bigger problem here,” he said. “In terms of privacy breaches involving banking institutions, it’s unusual that you would have a number of banks all at the same time formally notifying customers by mail of their card being compromised,” he said. “This is very unusual.” Charney said privacy is not a reason to withhold information from customers. “What it sounds like to me is some kind of excuse in the short term for the banks to continue to investigate and respond to this data breach before they have to publicly announce it,” Charney said. [CBC]


CA – Saskatchewan Charging Media $180K to Access Land Deal Documents

Attempts by media to obtain documents relating to the controversial Global Transportation Hub (GTH) land deal isn’t coming cheap; the province says it’s going to cost $180,000. A total of 29 Freedom of Information (FOI) requests were filed by the CBC. Fifteen were sent to the GTH and 14 to the Ministry of Highways. According to the province’s estimates the requests could total approximately 9,500 pages.

“In the electronic age it means going back to back-up tapes to get some things. Also, government’s older records are stored off site and we have to get those things in,” Deputy Minister of Justice Kevin Fenwick explained. However, the opposition NDP decried the government’s excuses and is calling it a clear cover-up. “We are talking about a fiasco that ultimately saw a Crown corporation pay alleged Sask. Party insiders three times the estimated value of land close to the Regina highway bypass,” Wotherspoon added. “He needs to scrap this bill and hand over this information.” Meanwhile, a complaint has been filed by the CBC with Saskatchewan’s Information and Privacy Commissioner. [Global News]

CA – Fredericton Secret Meeting Broke the Rules, Privacy Commissioner Says

Everyone who attended a closed-door meeting of Fredericton city council where it approved a letter in support of the Energy East pipeline should have known it was against the Municipalities Act, the province’s privacy watchdog says. Access to Information and Privacy Commissioner Anne Bertrand has been following the controversy after the city sent a letter to the prime minister in support of the pipeline after an in camera meeting on Jan. 26. Thursday, the city issued a statement acknowledging it did not follow the proper process when it sent the letter. Bertrand said, under the act, municipalities are supposed to be open and transparent by default about every decision they make. “They only go to closed sessions when it is necessary, and there are 10 instances that they can do that. So they can’t just decide that anything goes to a closed session,” she said. Bertrand said obvious examples include labour and employment issues, security issues or criminal investigations. [Source]

CA – Fontaine v. Canada Ruling Favours Privacy Of IRS Survivors

In a case that tied questions of aboriginal law with privacy law, the Ontario Court of Appeal decided indigenous Canadians who suffered abuse in residential schools could decide whether their evidence will be archived or destroyed after a mandatory 15-year retention period. Part of the question in Fontaine v. Canada was who gets to decide whether claimants’ testimony, submitted as part of the Indian Residential Schools Settlement Agreement, would be achieved or destroyed. Detailed and often traumatic personal stories of abuse are gathered under the IRSSA’s Independent Assessment Program. The court said the appeals before it raised “the question whether the survivors control the stories of their residential school experiences or whether others do.” In Fontaine, a number of Catholic institutions argued they, too, should consent before the redacted evidence is achieved at the National Centre for Truth and Reconciliation and potentially available for access by future generations. They argued the decision to archive the documents affects the alleged perpetrators and the churches. A lower court judge had found the only consent needed to archive the evidence is that of the claimants themselves. In a decision dated April 4, the court of appeal agreed. [Source]

EU – Google RTBF Requests Report for Europe

Google released a transparency report, presenting figures on European right to be forgotten requests for online searches since the European Court of Justice ruling of May 2014. A total of almost 1.5 million URLs have been evaluated, and of the 422,000 requests for removal, 42.8% were removed; 10 social network sites and search directories account for 8% of all URL removal requests. [Transparency Report: European Privacy Requests for Search Removals – Google]

US – ODNI Publishes 2015 Transparency Report

The Office of the Director of National Intelligence (ODNI) released its third annual transparency report. The report offers statistics about the frequency with which the government employs certain national security authorities, according to a press release. The release follows President Barack Obama’s 2013 direction to the intelligence community that it both declassify and make public data on U.S. surveillance activities to the extent that it was possible while still protecting national security data. Further, the USA FREEDOM Act of 2015 codified the statistics published in the DNI’s annual reports. The release covers “information concerning United States person search terms and queries of certain unminimized, [Foreign Intelligence Surveillance Act]-acquired information,” in addition to unique identifiers from FISA orders. [Source]

US – FBI Customer Record Requests Up 50% in 2015

A U.S. government transparency report revealed FBI requests for customer records were up 50 percent in 2015. The FBI sent 48,642 National Security Letters to Internet and telecommunications companies last year, up from the 33,024 letters in 2014. An NSL is sent by the FBI requesting information on an individual, including phone numbers, emails, IP addresses and other information. The report also states that 31,863 of the requests were made on foreigners, attributed to law enforcement efforts to track terrorist groups such as the Islamic State. In related news, U.S. District Judge Yvonne Rogers has stopped Twitter’s attempt to release more information on surveillance orders it receives from the government. “The First Amendment does not permit a person subject to secrecy obligations to disclose classified national security information,” Rogers wrote. Twitter will have the chance to re-file its case. [FSource ]


CA – NS Suspends “Unreliable” Hair Testing for Child Protection Cases

Nova Scotia has become the fourth known province to suspend or ban the use of drug and alcohol hair testing in child protection proceedings, after New Brunswick, British Columbia and Ontario. The move comes in the wake of a 2014 Star investigation into the Hospital for Sick Children’s Motherisk laboratory, which found that prior to 2010, the lab was using a hair test that was not recognized as the “gold standard.” An independent review deemed the hair test results “inadequate and unreliable” in 2015. They were used in potentially thousands of child protection cases in Ontario as well as in British Columbia, Quebec, Nova Scotia and New Brunswick, where they were routinely accepted as evidence with little scrutiny in court. Questions have been raised for years about hair strand testing, regardless of the laboratory performing the service. Because of the effect of alcohol-based hair products, “the risk for false-positive results appears high when monitoring a female population,” Motherisk’s own manager at the time, Joey Gareri, wrote in a 2011 paper he co-authored with Motherisk founder and director Gideon Koren. Studies have also suggested that drugs appear to be incorporated more readily into darker-coloured hair, and there is also evidence that the way substances are incorporated into the hair of a single individual may vary from strand to strand. Motherisk ceased its hair testing practices in 2015 prior to the completion of the independent review, but some provinces were still using hair tests from other labs in some cases until very recently. [Source]

Health / Medical

CA – Massive Health Information Overhaul Coming to Alberta

Patients tired of retelling medical histories, physicians frustrated with a cumbersome record system too reliant on paper, and administrators struggling to cut costs hope to benefit from a massive health information overhaul in Alberta. The government has vowed to invest $400 million over the next five years to begin replacing most of the 1,300 unconnected technology platforms currently in use within Alberta Health Services. The new, single clinical information system will be deployed across the province after an initial rollout in Edmonton facilities, where an antiquated, 30-year-old technology has been a festering headache. Dr. Robert Hayward, chief medical information officer for AHS, described a clinical information system as a giant integrated data hub that serves every aspect of the health system a patient might touch, from drug prescriptions and diagnostic tests to rehab clinics and home care. He said the best systems not only offer information for individual users, but can also manage broad, systemwide data on admissions and discharges, and the management of beds and supplies. For patients, Hayward said one of the biggest benefits will be the ability to have a single medical record that can be accessed by health providers at any point in the system. Currently, patients are often forced to repeatedly explain their health stories to different professionals, rather than having a seamless experience in which everyone is working from the same information. The system is also expected to have a portal for patients to access their own information. For health professionals, the arrival of the system should modernize processes that are often described as excessively time consuming and prone to error. Hayward said $400 million will “kick-start” the project by allowing AHS to issue a request for proposals. It’s expected the successful company will need a couple of years to install the new technology platform across the Edmonton zone, which is behind Calgary and plagued with a system at risk of failure. Then, over the next 10 years, the idea is to extend the system all over the province so that every provider can use it, including small doctors’ offices. Hayward said cost savings from the first rollout of the technology will be used to fund the later stages. [Edmonton Journal]

CA – Settlement Reached in Lawsuit After Edmonton Medicentre Laptop Theft

A settlement has been reached in a class-action lawsuit filed after a laptop containing the personal health information of 620,000 Albertans went missing. The settlement totals $725,000 to resolve credit damage, mental distress, increased risk of future identity theft and time and costs associated with preventing identity theft. The lawsuit originally sought $11 million. It was filed in 2014 against Medicentres Canada Inc., AbleIT Inc. and third-party individuals after an unencrypted laptop of an IT consultant for Medicentres was stolen from an Edmonton medical clinic in September 2013. The computer contained the names, birth dates, Alberta Health Care numbers and Alberta Health diagnostic codes of people who attended a Medicentre clinic in Edmonton or Calgary between May 2, 2011, and Sept. 19, 2013. People who were affected by the records loss can register with the law firms. There are different categories of claimants, including those who suffered mental stress and sought medical attention; those who can show that their identities had been stolen as a result; and those concerned about identity theft. [Source]

UK – NHS to Share 1.6 Million Health Records with Google AI Company

Google’s artificial intelligence company DeepMind has struck a deal with the UK’s NHS to access healthcare data of 1.6 million people. The agreement allows DeepMind access to current and historical data for patients at three London hospitals to develop an app to help monitor patients with kidney disease. The access granted in the agreement covers all health data, not just kidney disease data. [New Scientist] [The Register] [SCMagazine] [] See also: [Google company’s access to NHS records raises privacy concerns]

WW – Why Cybercriminals Attack Healthcare More Than Any Other Industry

Cybercriminals attacked the healthcare industry at a higher rate than any other sector in 2015, and more than 100 million healthcare records were compromised last year, according to a new report published by IBM. In fact, 2015 was “the year of the healthcare breach,” IBM said in its 2016 Cyber Security Intelligence Index. The rate of attacks against the healthcare sector climbed to the highest level of all industries studied in 2015, after not making the top five in 2014, as healthcare leaped ahead of the manufacturing, financial services, government and transportation industries. Data breaches in the healthcare sector are also getting larger – with five of the eight largest health data breaches reported since 2010 (those with more than 1 million records compromised) occurring in the first six months of 2015, IBM’s report said. And the cost of data breaches is going up, particularly in healthcare, according IBM’s 2015 Cost of a Data Breach study. While the average cost of a data breach across all industries was $3.8 million in 2014 – up 23% from 2013 – the cost per record in the healthcare sector was $363 per record breached, more than twice the overall average of $154 per record. [Source]

Horror Stories

WW – Massive Breaches at Major Email Services, 272.3 Million Affected

Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld. The discovery of 272.3 million stolen accounts included a majority of users of Russia’s most popular email service, and smaller fractions of Google Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security. It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago. [Reuters]

WW – Notable Privacy Breaches

Intellectual Property

US – Self-regulatory Group Takes Action Against Three App Developers

Three popular app publishers have changed their privacy practices after the enforcement arm of the Better Business Bureau found they were out of compliance with accepted self-regulatory standards. The makers of Spinrilla, Top Free Games and Bearbit Studios were found to be out of compliance with the Digital Advertising Alliance’s Self-Regulatory Principles. [Full Story]

Internet / WWW

WW – Google for Work & Google Cloud Get New Security/Privacy Certs

In what is clearly part of the company’s efforts to get more enterprise customers on its platforms, Google announced that it has renewed its ISO 27001 certification for the fourth year in a row and upped its product coverage from 34 to 59 products. In addition, Google Apps for Work and the Google Cloud Platform have now also been certified for ISO 27017 for cloud security and ISO 27018 for privacy. Google already said it would adopt ISO 27018 for Google Apps for Work last year. ISO 27017 basically certifies that Google’s virtual networks are as secure as its physical networks, that data is protected and inaccessible to other customers on the same platform and that it’s clear which security responsibilities fall on Google and which are the customer’s. ISO 27018 mostly covers privacy controls. It certifies that Google doesn’t use its customers’ data on the covered platforms for advertising, for example, and that the customers’ data remains theirs. It also certifies that Google lets you delete and export your data and is transparent about where the data is stored. Because enterprises do look for these certifications when they decide on a cloud provider, it’s no surprise that Amazon’s AWS and Microsoft’s Azure also offer similar compliance assurances. AWS already offers the same ISO 27001, 27017 and 27018 certifications as Google, for example. Azure, too, is ISO 27001- and 27018-compliant. [Source]

Law Enforcement

US – Maryland Cops deploy StingRay Tech Against Chicken-Wing Thief

Police in Maryland, US, used controversial cellphone-tracking technology intended only for the most serious crimes to track down a man who stole $50 of chicken wings. Police in Annapolis used a StingRay cell tower simulator in an effort to find the location of a man who had earlier robbed a Pizza Boli employee of 15 chicken wings and three sandwiches. Total worth: $56.77. In that case, according to the police log, a court order was sought and received but in many other cases across the US., the technology is being used with minimal oversight, despite the fact it is only supposed to be used in the most serious cases such as terrorism. Annapolis police never found the thief but he represented just one of 17 occasions on which the city of 40,000 people used the device in 2011. Its use is far more prevalent in larger cities. The Philip Merrill College of Journalism’s Capital News Service found that Maryland State police has used a StingRay at least 125 times since 2012. Howard Country, which lies to the south of Baltimore and with a population of 300,000, has used a StingRay 129 times since 2011. The police in Baltimore City have used its StingRay an extraordinary 4,300 times since 2007, sparking an investigation and review of 2,000 of them. New York City has used its StingRay more than 1,000 times since 2008. [The Register]


US – Westin Centre Issues New Geolocation Practice Guide

Geolocation is used for purposes ranging from emergency services to targeted advertising to fraud prevention. For consumers, the use of geolocation has obvious benefits — though concerns over how this data is collected, accessed and used, and by whom, has been a consistent topic of debate. Regulators from across the globe have weighed in with guidance and legislation, industry groups have issued codes of conduct and even the U.S. Supreme Court has offered an opinion. This IAPP Westin Center Practice Guide offers a quick way to get up to speed on geolocation and the issues surrounding it. [Full Story]

EU – Healthcare Apps and Wearables Create High Risks for Users: German DPAs

During their last Data Protection Conference, the German data protection authorities (DPAs) agreed on a resolution on data protection principles that providers of healthcare apps and wearables should consider. According to the resolution, almost a third of the German population 14 years or older uses wearables (body-worn devices that record an individual’s health data) and healthcare apps (mobile device software offering health-related services). The DPAs claim that these devices and apps collect personal health data, which is subsequently transmitted to manufacturers, internet providers, and other third parties. In general, under German law, a company may collect, process, and use personal health data only if specifically authorized by law, such as the German Federal Data Protection Act (FDPA), or if the data subject has consented. The resolution clarifies how these requirements apply to wearables and apps:

  • Manufacturers of wearables and healthcare apps should use data privacy-friendly technologies and default settings (e.g., privacy by design), and should adhere to the principles of data reduction and data minimization, as well as anonymization/pseudonymization.
  • A data subject’s consent regarding the collection, processing, and use of personal health data should be transparent, particularly regarding a transfer to third parties.
  • In the context of employment and insurance, any consent to use of personal health data likely is invalid, based on concerns regarding significant negotiating imbalances between the parties. Consistent with the German DPA’s view, the Dutch DPA recently stated that an employee’s consent to the use of wearables to be not valid due to the financial dependence of the employee.
  • Legal requirements for data security cannot be waived contractually or via consent.
  • In the case that multiple parties are involved in the creation or distribution of wearables and healthcare apps, those parties have a joint responsibility for the wearables and apps, including issues such as meeting quality standards, ensuring IT security, functionality, and the transparency of data usage. However, the resolution does not explain how joint responsibility should operate in practice. [Source]

Online Privacy

US – Supreme Court Gives FBI More Hacking Power

The Supreme Court this wseek approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes will take immediate affect in December, unless Congress adopts competing legislation. Previously, under the federal rules on criminal procedures, a magistrate judge couldn’t approve a warrant request to search a computer remotely if the investigator didn’t know where the computer was—because it might be outside his or her jurisdiction. The rule change, sent in a letter to Congress on Thursday, would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor. Over a million people use Tor to browse popular websites like Facebook every month for perfectly legitimate reasons, in addition to criminals who use it to hide their locations. The changes, which would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant, are already raising concerns among privacy advocates who have been closely following the issue. [The Intercept]

Privacy (US)

US – SCOTUS Approves Rule 41 Update, Privacy Advocates Outraged

The Supreme Court approved an update to Rule 41 this week, effectively expanding judges’ abilities to issue warrants for access to computers outside of their jurisdictions. The move has drawn criticism from Sen. Ron Wyden, D-Ore., and several privacy advocates. Last month, Wyden warned of the potential change and vowed to stop it. Congress has until Dec. 1 to either amend or deny the update. “Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime,” said Wyden. Open Technology Institute’s Kevin Bankston said the “obscure rule change” authorized “a whole lot more” government hacking. [Morning Consult] See also: [A retail industry group is railing against a bill that would require companies to notify customers following a breach and set nationwide data security standards similar to those in the financial sector] and [A House Committee on Education and the Workforce hearing to evaluate the 1974 Family Educational Rights and Privacy Act and how Congress should update it.]


WW – SS7 Network Leaves Major Hole in Cellphone Security

Signaling System No. 7 network’s vulnerabilities have caused major problems for smartphone security. SS7 is a set of technical rules for how data gets exchanged in cellular networks, mainly involving computing cellular billings, texts, and assisting when users are roaming. The vulnerability in the network was revealed last week during a “60 Minutes” episode in which researchers demonstrated how they could hack into Rep. Ted Lieu’s, D-Calif., smartphone. Lieu has since called for a congressional hearing on SS7, and the Federal Communications Commission has said it will examine the issue as well. [Wired]

WW – Latest Security Study Worry: How Many Times Will You Be Breached?

The threat level of cyber attacks on virtually every organization continues to increase, with more than half of companies reporting the loss of customer data due to DDoS attacks, and three-quarters of organizations suffering a breach in 2015. Those are among the findings of the latest research from Neustar, Inc., from its third global DDoS Attacks and Protection Report titled The Threatscape Widens: DDoS Aggression and the Evolution of IoT Risks. The research results show that although revenue loss caused by a DDoS related outage is usually the main concern of targeted organizations, 57% of all breaches involved some sort of theft including intellectual property and customer data as well as financial information. “More troubling, following the initial breach, 45% of organizations reported the installation of a virus or malware – a sign that attackers are interested in causing ongoing harm,” the report explains. The research highlights that although DDoS attack tactics continue to evolve from single large attacks intended to take a website offline to the multi-vector attacks we are seeing today, organizations are fighting back. The research revealed that 76% of companies are investing more in DDoS protection than in 2014, and 47% of the attacked organizations are participating in security consortiums to share information on threats and counter measures. [Source] [Neustar Press Release]

Smart Cars / Internet of Things

WW – Samsung SmartThings Vulnerabilities

Researchers from the University of Michigan have published an “in-depth empirical security analysis” of the Samsung’s SmartThings smart home platform, a program that allows people to use SmartApps to control all sorts of Internet-connected devices in their home from their smartphone. The researchers found they could trigger false smoke alarms and plant code in digital locks that would allow them access to the house. They noted that the SmartApps are capable of gaining privileges they do not need, and that the SmartThings event subsystem offers inadequate protection of events that transmit sensitive data. [The Register] [Wired] [CNET] [Ars Technica] [Security Analysis of Emerging Smart Home Applications]

SG – Singapore Ramping Up Smart City Efforts

Singapore is planning to create the most elaborate and comprehensive smart city in the world. The country plans on placing an undetermined amount of cameras and sensors around the city, permitting the government to check everything from crowd numbers to the movement of vehicles. While the smart city’s capabilities won’t be fully realized until after it is implemented, some early uses could include monitoring events such as the spread of infectious diseases. The government is working on finding the best way to ensure citizens’ privacy won’t be violated, according to the report. While public meetings haven’t been held on protecting citizens’ privacy, the government insists collected data will be anonymized as much as possible. [The Wall Street Journal]

US – Proposed Michigan Bills Would Have Car Hackers Face Life in Prison

State legislators in Michigan have introduced two bills that would impose a life prison sentence for anyone who maliciously accesses automobile computer systems. One of the bills reads, in part, “a person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle.” [ComputerWorld] [The Register] [CNET]

CA – Lawyers Ask SCOC to Consider “Black Box” Privacy

Two Kamloops lawyers are making a bid to overturn a B.C. Court of Appeal decision that found drivers have no expectation of privacy relating to data in their vehicle’s black box. 54-year-old Wayne Fedan of Kamloops was convicted in September 2014 of dangerous driving causing death in connection to a crash four years earlier. He was sentenced to three years in prison and handed a three-year driving ban to begin following his sentence. The sentencing judge found data contained in the black box of Fedan’s pickup truck showed his foot was on the accelerator as he rounded a corner at more than twice the posted speed limit. Lawyers Micah Rankin and Anthony Varesi have filed an argument with the Supreme Court of Canada. The court has yet to decide whether it will hear the appeal. The March 20, 2010, crash on Mackenzie Avenue, at the turn in front of the entrance to McArthur Island, killed 20-year-old Brittany Plotnikoff and 38-year-old Kenneth Craigdaillie. All three were at a party together and Fedan was driving them home. Both the B.C. Supreme Court and B.C. Court of Appeal rejected arguments that police required a search warrant before accessing data in the vehicle’s black box (known as the sensing diagnostic module, or SDM). Rankin and Varesi’s argue Canada’s highest court should consider the appeal based on what they call “an issue of national importance,” including four factors:

  • Changes in technology mean automobiles have become “repositories of potentially vast amounts of personal information about drivers” — information that should have protection of privacy rights.
  • The decision sets a precedent for seizure without a search warrant.
  • The decision is at odds with rulings in senior Ontario courts, which found drivers have an expectation of privacy in material contained in the black box.
  • The appeal asks whether the Canadian Charter of Rights and Freedoms limits police from accessing data from devices in automobiles. [Source]


US – Schumer Wants FTC to Investigate Billboard Tracking

Saying it raises “serious questions about privacy,” Sen. Chuck Schumer, D-N.Y., has called on the Federal Trade Commission to investigate Clear Channel Outdoor, a company that manufactures billboard-tracking technology. The RADAR technology uses mobile phone data to collect information for advertising. “Your personal cellphone should not become a James Bond-like gadget that’s used against you by some company,” adding, “You should have to give them permission to follow you when you drive or walk by a billboard.” Earlier this year, Sen. Al Franken, D-Minn., wrote a letter to the company with his privacy concerns. “RADAR uses only aggregated and anonymized information from privacy-compliant third-party data providers who have verified that they adhere to consumer-friendly business practices,” said Clear Channel Outdoor spokesman Jason King. [Full Story]

UK – Civil Rights Group Releases Video Satirizing Investigatory Powers Bill

Liberty, a civil rights campaign charity, released a video lampooning the potential surveillance powers the British government could possess if the Investigatory Powers Bill is passed. In “Show Me Yours,” comedian Olivia Lee approaches random citizens, browbeating them into showing personal information on their phones. Lee is met by a series of irritated individuals, highlighting Liberty’s opposition to the bill Home Secretary Theresa May is looking to pass and how citizens don’t want third parties looking at their information. “As our film shows, people naturally recoil when a stranger asks to see their phone — there’s a reason we use encrypted services and protect our phones and computers with passwords and codes,” said Larry Holmes, Liberty’s digital and campaigns coordinator. [The Huffington Post]

Telecom / TV

UK – 72% Orgs Support BYOD Despite Privacy/Security Concerns: Survey

According to the results of a new survey, 72% of organisations across the financial services, technology, healthcare, government and education sectors support BYOD for all or some employees. However, only 14% have successfully deployed Mobile Application Management (MAM) solutions, creating issues in areas such as controlling access to corporate data and enforcing device encryption. In most of the industries surveyed, employee satisfaction was seen as a key benefit of enabling BYOD, with government being the only exception where it was valued by less than half (44%) of respondents. In contrast, privacy was cited as the biggest inhibitor to BYOD adoption in 52% of SMBs, with large organisations being more concerned with security. Data leakage was one of the top concerns across all sectors, including 81% of financial services, 90% of healthcare and 79% of education organisations. Despite this concern, device encryption was supported in only 36% of educational institutions, 56% of financial services organizations and 57% of healthcare organizations. The full report, entitled ‘How Forward-Looking Industries Secure BYOD,’ surveyed more than 800 cyber security professionals and can be found here. [Source]

US Government Programs

US – FBI Use of National Security Letters Up by 50% in 2015

FBI requests for customer records under a secretive surveillance order increased by nearly 50 percent in 2015, according to a U.S. government transparency report published this week. Internet and telecommunications companies in 2015 received 48,642 requests, up from 33,024 reported in 2014, for data via so-called National Security Letters (NSLs). The NSL is a tool used by the FBI to gather phone numbers, email and IP addresses, web browsing histories and other information. An NSL does not require a warrant and is usually accompanied by a gag order. The amount of actual written orders issued decreased in 2015, however, from 16,348 to 12,870. One NSL often contains multiple requests for information, such as a series of email addresses believed relevant to an investigation, where each address counts as one request. The year-to-year statistics may not be entirely precise due to changes in reporting requirements ushered in last year under a surveillance reform law passed by Congress, sources familiar with the process said, but they indicate general trends. The majority of NSL requests, 31,863, made in 2015 sought information on foreigners, regarding a total of 2,053 individuals, according to a Justice Department memo sent to Congress, while the amount of requests on U.S. persons declined. A U.S. government source said the rise in NSL requests is in part attributable to efforts by militant groups such as Islamic State to use multiple accounts across several different communications platforms. [Reuters]

US – White House to Commence Artificial Intelligence Workshops

In an official White House blog post, Deputy U.S. Chief Technology Officer Ed Felten announced a new series of public workshops designed to better understand the potential benefits and concerns about artificial intelligence. Felten notes that “a series of breakthroughs in the research community and industry have recently spurred momentum and investment” in the AI field. With a potential to transform health care, education and transportation, AI will also bring with it risks, including privacy and security risks. As a result, the White House Office of Science and Technology Policy will co-host four workshops in the coming months. Cities include Seattle, Washington, Pittsburgh and New York City. The workshops will then “feed into the development of a public report later this year,” Felten wrote. [Full Story]

US Legislation

US – House Passes Bill Aimed at Closing ECPA Loophole

The US House of Representatives has unanimously passed the Email Privacy Act, which would amend an outdated law to protect the privacy of digital communications. The wording of 1986’s Electronic Communications Privacy Act (ECPA) was being interpreted to allow law enforcement to demand email and other electronic communications without a warrant. The Email Privacy Act would require authorities to obtain warrants to access the information. [The Hill] [Ars Technica] [ComputerWorld] ee also: The House Energy and Commerce Committee passed a bill levying heavy punishments for individuals committing the prank known as “swatting“ — a form of online trolling.

US – Colorado Student Data Privacy Bill Gets Unanimous Senate Approval

The 2016 legislative session’s biggest education policy bill — a measure intended to protect the privacy and security of student educational data — passed the Senate 35-0 this week. The vote continued the unbroken string of success for House Bill 16-1423, which has passed unanimously on every committee and floor roll call since it was introduced. That’s a pattern usually seen only with the most minor, technical bills. The measure’s original text also has survived almost entirely intact. The main elements of the bill include a detailed definition of personally identifiable information that must be protected, restrictions on software companies and other vendors, and additional transparency and disclosure requirements for the Colorado Department of Education and school districts. The bill also sets some district controls over classroom apps and software used by teachers. The bill returns to the House for consideration of non-controversial amendments, approval of which will be a formality. [Source]

US – Other US Legislative Developments




Privacy News Highlights: 19-25 April 2016


CA – Manitoba Ombudsman Lays Charges for “Snooping”

The Manitoba Ombudsman has laid charges for snooping under new provisions in the Personal Health Information Act. Individuals using, accessing or attempting to access personal health information without cause are now committing a fineable offence under the Personal Health Information Act. [Manitoba Ombudsman lays “snooping” charge under The Personal Health Information Act]

CA – Ransomware: OIPC SK Provides Guidance on Preventive Measures

The OIPC in Saskatchewan released guidance to public and private sector organisations on how to manage ransomware. Organizations should install anti-virus software, educate employees about phishing attacks, maintain offline backups of data and have an infection response plan in place; if attacked remove the infection, and attempt to restore the files or system from backup. [Office of the Saskatchewan Information and Privacy Commissioner – Ran$omware…What You Need to Know]

CA – Assisted Dying Bill C-14 Could Violate Charter, Feds Acknowledge

In a written explanation of the reasoning behind the proposed new law on medical assistance in dying, the Justice Department acknowledges that the bill could violate the charter of rights on a number of fronts.

They include:

  • Excluding those who are suffering intolerably but whose natural death is not reasonably foreseeable could violate the right to life, liberty and security of the person.
  • Treating people differently on the basis of their different medical conditions could violate equality rights.
  • Not allowing advance directives could force those with competence-eroding conditions like dementia to take their lives prematurely or risk permanently losing access to medically assisted death once they no longer have capacity to consent, thereby violating equality rights and the right to life, liberty and security of the person.
  • Restricting access to adults at least 18 years of age could violate the right not to be discriminated against based on age.
  • Requiring two independent people to witness a written request for medical assistance in dying could violate privacy rights. [Source]

CA – OPC to Investigate RCMP Over Alleged Stingray Cellphone Surveillance

While the outcome of the Privacy Commissioner’s investigation may hinge on whether the RCMP obtained proper judicial authorization prior to the use of Stingrays in particular cases, the validity of the legislation providing for such authorization could be open to an attack under the Canadian Charter of Rights and Freedoms and might also contravene telecommunications legislation. Whatever the legal outcome, the disclosure of the use of Stingrays has already sparked a public debate that could act as a catalyst for new legislation specifically regulating the use of Stingray devices. [Source]

CA – Brison Pledges to Improve Reporting of Privacy Breaches

Treasury Board will work with Canada’s Privacy Commissioner to improve the reporting of privacy breaches by federal government departments, said Treasury Board President Scott Brison following a committee meeting. “It’s an area that we will work with the commissioner and the commissioner’s office and with departments and agencies to understand fully what we can do to improve results and we’re seized with it.” Brison’s comments come after documents tabled in Parliament last week revealed that federal government departments and agencies breached the privacy of thousands of Canadians last year but only a fraction of those incidents were ever reported to Canada’s Privacy Commissioner Daniel Therrien. While departments don’t have to inform the privacy commissioner’s office of every incident, the documents also revealed that there was a wide range in the proportion of the breaches reported to the Privacy Commissioner’s office. [Source]

CA – RCMP Memo Details Public Safety Risks Via Surveillance Devices

A 2011 internal Royal Canadian Mounted Police memo warns of the ways in which IMSI catchers can negatively affect public safety. The memo mentions how the devices, which mimic cellphone towers to obtain data, can block important phone calls, including people dialing 911. RCMP has been using IMSI to surveil for potential crimes, but the internal memo indicates warnings of a risk to innocent third parties. Details within the memo also hint at expanded use of the devices by the RCMP. “When considering whether the use of the [IMSI catcher] should be authorized … officers should weigh the need to prevent imminent bodily harm, preserve life and investigate serious crimes … against the importance of having a reliable 911 system that Canadians can count on in all circumstances,” the memo reads. [The Globe and Mail]


US – Poll: American Voters Overwhelmingly Want Privacy, Encryption

Voters overwhelmingly support encryption and other measures to protect their digital privacy, according to a new poll from ACT | The App Association trade group. In the survey, 93% of respondents said it’s important that the photos, health data or financial information they store on their phones and apps, or share online, stay secure and private. Nearly the same number (92 percent) said they need “powerful, consumer-focused encryption technology” to make sure their information is secure. Meanwhile, the survey also found that 54% of respondents trust tech companies like Apple, Google and Facebook more than federal agencies, like the FBI, to protect personal information on their electronic devices. Only 21% said the reverse. [FedScoop]

US – Study: Trust in Social Media Companies Ranks Very Low

An Environics Communications study found only 26% of those surveyed ranked social media with a five or higher on a seven-point scale of trustworthiness. “These are relatively new industries, they haven’t had a lot of time to accumulate baggage … but there’s something about what’s going on that is not creating trust,” said Environics CEO Bruce MacLellan. Companies’ use of personally identifiable information and other elements of a user’s social media content for targeted advertising may be the source of anxiety. “The whole privacy issue is a huge part of this,” MacLellan said. “People are wary about what’s going on with that content, and how it’s being used.” [The Globe and Mail]


US – Email Privacy Act Expected to Pass in House Vote

House Majority Leader Kevin McCarthy, R-Calif., docketed a vote for the Email Privacy Act in the upcoming week. If passed, the legislation would mandate law enforcement officials get a warrant before accessing users’ electronic communications stored by tech companies, the report states. It came through committee in early April with only minor revisions. While the bill is believed to pass the House with ease due to its more than 300 co-sponsors, its Senate journey might not be so clear-cut, the report adds. Senate Judiciary Committee Chairman Chuck Grassley, R-Iowa, “has previously expressed sympathy for some agencies’ concerns.” [The Hill]

US – Study: Phishing Email Attacks on the Rise

Verizon’s ninth annual Data Breach Report found that phishing emails were the primary catalyst for data loss, with the amount of emails opened growing from 23-30% in the last year. Embracing two-factor authentication is one potential for companies looking to avoid falling prey to phishing attacks, said Verizon’s Bryan Sartin. “It would mitigate an entire swathe of these breaches.” [CSO Online]


US – Tech Groups Write Open Letter Criticizing Encryption Bill

Four major tech groups, representing companies including Facebook, Netflix and Google, have written an open letter to a pair of senators regarding their bill requiring all encryption have the ability to be cracked when needed. The bill, by Senators Richard Burr, R-N.C, and Dianne Feinstein, D-Calif., was recently leaked and widely criticized. “We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm,” the letter’s opening reads. The letter arrives at the same time a new survey from ACT reveals that 93% of respondents said it’s important their data is secured, with 92% needing strong encryption on their devices. [TechCrunch]

EU Developments

EU – EDPS Finds Commission Proposal to Exchange Non-EU Citizens’ Criminal Data Disproportionate

The European Data Protection Supervisor provides an opinion on the European Commission’s proposal to extend the European Criminal Records Information System to third country nationals. Member States would be obliged to store the fingerprints of all convicted non-EU citizens to ensure proper identification of individuals; however, not all Member States store fingerprint data or are connected to the national automated fingerprint identification system, and it is not necessary or proportionate to require storage of fingerprint data regardless of States’ sanction thresholds or the nature of the offence. [EDPS – Opinion 3/2016 – Exchange of Information on Third Country Nationals as Regards the European Criminal Records Information System]

EU – German Constitutional Court Finds Police Investigative Powers Too Broad

The German Federal Constitutional Court hears a complaint alleging that certain provisions introduced into the Federal Criminal Police Office Act are unconstitutional. Criteria for collection of personal data do not have requirements that a specific and foreseeable incident is present or an individual’s behavior substantiates a specific probability for terrorist offences, surveillance of private homes is not fully proportionality and constitutes a serious interference with individual privacy (it should focus exclusively on target persons communications), and the body charged with viewing the collected data (members of the police force) are not sufficiently independent. [Germany Federal Constitutional Court Declared BKA Act Partly Unconstitutional]

EU – US Hesitant to Renegotiate Privacy Shield Following EU Regulators’ Opinion

After European privacy regulators articulated concerns with Privacy Shield, the U.S. is reluctant to reopen negotiations. European data protection authorities weren’t pleased with the amount of U.S. surveillance permitted in the new Shield agreement, and while their approval is not needed to finish the deal, they will be enforcing it and aiming to ensure it doesn’t meet the same fate as Safe Harbor. With massive amounts of business on the line, delays to Privacy Shield implementation might be too costly to consider, the report states. “Given the pressure that currently exists with U.S. organizations and even in Europe, with organizations there trying to conduct business, my bet is that we’re going to see the Commission go forward with Privacy Shield,” said a lawyer from Foley & Lardner LLP. [The Hill] [The U.K. Information Commissioner Christopher Graham voiced his disappointment that the U.S. has articulated it isn’t interested in reopening negotiations for the Privacy Shield] U.S. businesses expressed their anxieties after the Article 29 Working Party released its opinion of the E.U-U.S. Privacy Shield agreement.


CA – Identity Management: FINTRAC Clarifies Which Client ID May Be Requested and/or Recorded for Identity Verification

FINTRAC has issued guidelines to securities dealers on client identification. Acceptable ID must have a unique identifier number, have been issued by a provincial, territorial or federal government, be valid (unexpired), and an original (not a copy); examples include an individual’s birth certificate, driver’s licence, Canadian or foreign passport, record of landing, permanent resident card, or certificate of Indian status or a provincial or territorial identification card (issued by prescribed entities). [Financial Transactions and Reports Analysis Centre of Canada – Guideline 6E: Record Keeping and Client Identification for Securities Dealers]


CA – Doctors, Pharma Company Funding and Privacy

Your doctor could be getting money from pharmaceutical companies and doesn’t have to tell you. It’s not uncommon for health practitioners to have relationships with industry — companies may be in touch about new drugs, sponsor educational conferences or compensate doctors financially for consultation, for work on advisory boards or in clinical trials. If your doctor’s in the United States, you can search their name in a public database and find each payment itemized by date, company and amount, thanks to the Sunshine Act, part of the Affordable Care Act. The legislation requires any pharmaceutical company giving payments or “transfers of value” of any kind or amount to American doctors to disclose them in detail. Canada has no such law. Canadian pharmaceutical companies are legally required to itemize all of their payments to doctors in Detroit, Fargo, Spokane and Seattle — but none of their payments to doctors in Windsor, Winnipeg, Calgary or Vancouver. Disclosures for presentations, not patients Nav Persaud, a researcher and physician with St. Michael’s Department of Family and Community Medicine in Toronto, wants that to change. “There are requirements to disclose that funding when, for example, you’re giving a talk to your colleagues. What there’s not clear guidance on is whether those gifts or payments need to be disclosed to patients.” Provincial governments could do it easily, Persaud argues: Ontario, for example, could pass a law requiring all the companies manufacturing drugs covered under the Ontario Drug Benefit to disclose and itemize all of their payments to Ontario health practitioners. [Global News]

US – FBI Officials Keep Tactics Secret, Even from Fellow Agents

According to documents recently disclosed under a Freedom of Information Act lawsuit, FBI officials have long aimed to keep their surveillance tactics secret even from fellow law enforcement officials. Officials “once warned agents not to share details even with federal prosecutors for fear they might eventually go on to work as defense attorneys.” Privacy advocates are concerned that secrecy makes court scrutiny of such practices difficult. Meanwhile, it’s been reported that the Drug Enforcement Administration has been taking tips from National Security Agency data. [USA TODAY]

CA – Ontario’s Police Watchdog Lags Behind Others in Transparency

When a BC man died after being Tasered during an arrest last year, the province’s civilian police watchdog launched an investigation that ultimately cleared the five Chilliwack RCMP officers involved in the death. The officers “acted appropriately” when they used the Taser, wrote Chief Civilian Director Richard Rosenthal in his recent report. Their force was not excessive and no officer should be charged in relation to the death. Then Rosenthal backed that decision up — in a detailed, 12-page public report posted on the watchdog’s website, a document that is “virtually identical” to the report sent to B.C.’s Ministry of Justice, according to the watchdog’s spokesperson, Marten Youssef. That report includes: a timeline of 911 and dispatch calls and a description of their content; a breakdown of the evidence provided by two witness officers and five civilian witnesses; a summary of an analysis of the conducted-energy weapon and of the autopsy report; an explanation of the legal issues, including whether the officers used excessive force that resulted in his death; and the director’s analysis of the evidence.

In cases where B.C.’s Independent Investigations Office clears an officer, the agency releases a decision that is as detailed as possible, because in cases with no charges, “there better be an explanation, and a comprehensive one,” Youssef said. He acknowledges that few people will actually read them from start to end, “but it needs to be there.” “It’s a question of transparency,” he said. Ontario — once a leader in civilian oversight after establishing Canada’s first provincial police watchdog, the Special Investigations Unit, in 1990 — is now lagging behind other provinces when it comes to the transparency measures of its independent police oversight agencies. [Source]

Health / Medical

NO – Norwegian Appeals Board Upholds DPA’s Denial of Approval for Health Data Research Project

The Privacy Appeals Board reviewed the Norwegian Data Protection Authority’s decision to reject an application from the University of Oslo’s to process health data for a research project. The research project’s proposed collating of data from various sources, including a national patient register, would have permitted the indirect identification of individuals, which did not sufficiently meet pseudonymisation requirements; the DPA was correct in finding that relevant legislation requires that such pseudonymisation be irreversible. [Privacy Appeals Board, Norway – PVN-2015-12 – University of Oslo Health Research Project]

WW – Health Data: Challenges in Providing Notice to Users of Wearable Devices

Current and future challenges of obtaining meaningful consent, before collecting or processing health-related data generated by individuals’ wearable devices. Organizations collecting mHealth data via wearable devices face challenges in obtaining meaningful consent from users (owing to small screen sizes and the need to provide a privacy statement including proposed uses of the data); prior consent is still required (with limited exceptions, including for preventive medicine, for medical diagnosis) and the new GDPR will impose even more stringent requirements. [mHealth – Wearables, technical innovation and Data Protection – CMS Law]

UK – Privacy Concerns Limit Social Media-Based Health Campaigns: Study

A “qualitative evaluation” of HIV Prevention England’s awareness program, “It Starts With Me,” found that online privacy concerns inhibit the wider reach of social media-mired intervention campaigns. “Nearly all of our participants held concerns about privacy relating to their social media use and their engagement with sexual health interventions,” the researchers said. They added that their study did not contain privacy-specific questions, but that respondents expressed their privacy concerns organically. [NAM Aidsmap] [Witzel TC et al. It Starts With Me: Privacy concerns and stigma in the evaluation of a Facebook health promotion intervention. Sexual Health, 2016]

Horror Stories

WW – Private Data of 1.1 Million ‘Elite’ Daters for Sale

Sexual preference. Relationship status. Income. Address. These are just some details applicants for the controversial dating site are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone. All of this, of course, is supposed to remain confidential. But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million users. The leak, according to one researcher, also included 15 million private messages between users. Another said the data is now being sold by traders lurking in the murky corners of the web. Other leaked data included weight, height, job, education, body type, eye colour and hair hue, as well as email address and mobile phone number. Location data, in the form of latitude and longitude, were also leaked, along with smoking and drinking habits, interests and favourite TV shows, movies and books. Anyone using the site expecting privacy should now consider themselves exposed, right down to their appearance, whereabouts and interests. “We’re looking at in excess of 100 individual data attributes per person. Everything you’d expect from a site of this nature is in there.” [Source]

US – NY Hospital to Pay $2.2 Million Over Unauthorized Filming of 2 Patients

NewYork-Presbyterian Hospital has agreed to pay a $2.2 million penalty to federal regulators for allowing television crews to film two patients without their consent — one who was dying, the other in significant distress. Regulators said that the hospital allowed filming to continue even after a medical professional asked that it stop. At the same time, regulators clarified the rules regarding the filming of patients, prohibiting health providers from inviting crews into treatment areas without permission from all patients who are present. That could end popular television shows that capture emergencies and traumas in progress, getting permission from patients only afterward. “It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation or voice alteration software) for whom an authorization was not obtained,” the Office for Civil Rights with the federal Department of Health and Human Services said in an online post. “I think this will have a chilling effect on hospitals going forward. Any hospital legal counsel worth his salt or any P.R. director would be committing malpractice in order to allow it to occur. It’s now embodied in a federal directive.” [Source]

US – North Carolina Clinic Settles HIPAA Breach for $750,000

The Raleigh Orthopaedic Clinic must pay $750,000 in a settlement after the Department of Health and Human Services’ Office for Civil Rights discovered it had shared the health data of 17,300 individuals in 2013 without “executing a business associate agreement,” a violation of HIPAA. “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director Jocelyn Samuels. “It is critical for entities to know to whom they are handing personal health information and to obtain assurances that the information will be protected.” [Healthcare IT News]

CA – Class Action Lawsuit Filed for Privacy Breach in Lanark, Leeds and Grenville

A Class Action lawsuit has been filed following a massive privacy breach at Family and Children’s Services of Lanark, Leeds and Grenville earlier this week that saw the names of 285 families involved with children’s services leaked on Facebook. The class action filed in the Ontario Superior Court of Justice on behalf of a person identified only as M.M. names the agency, its executive director, Children and Youth Services Minister Tracy MacCharles and John Doe – the person responsible for sharing the information – as defendants. The lawsuit calls for $25-million in general damages, $25-million in special damages and $25-million in punitive, aggravated and exemplary damages on behalf of M.M. the families whose names were shared in a document on the Smiths Falls Swapshop and Families United Facebook pages earlier this week. “This is a very serious breach of privacy, made possible by the Family and Children’s Services of Lanark, Leeds and Grenville,” said Sean Brown of Flaherty McCarthy LLP in Toronto. “That institution made the decision to use an on-line portal system that was easily accessed by an individual without any obvious hacking skills. The most sensitive and confidential information held by that body, specifically the names of those under its investigation, have now been published on the Internet. The damage has been done. That bell can not be unrung.” [CFRA]

Identity Issues

WW – FPF Reports on the Full Spectrum of Practical Data De-Identification

One of the most hotly debated issues in privacy and data security is the notion of identifiability of personal data and its technological corollary, de-identification. De-identification is the process of removing personally identifiable information from data collected, stored and used by organizations. Once viewed as a silver bullet allowing organizations to reap the benefits of data while minimizing privacy and data security risks, de-identification has come under intense scrutiny with academic research papers and popular media reports highlighting its shortcomings. At the same time, organizations around the world necessarily continue to rely on a wide range of technical, administrative and legal measures to reduce the identifiability of personal data to enable critical uses and valuable research while providing protection to individuals’ identity and privacy. This paper proposes parameters for calibrating legal rules to data depending on multiple gradations of identifiability, while also assessing other factors such as an organization’s safeguards and controls, as well as the data’s sensitivity, accessibility and permanence. It builds on emerging scholarship that suggests that rather than treat data as a black or white dichotomy, policymakers should view data in various shades of gray; and provides guidance on where to place important legal and technical boundaries between categories of identifiability. It urges the development of policy that creates incentives for organizations to avoid explicit identification and deploy elaborate safeguards and controls, while at the same time maintaining the utility of data sets. [Source] [Infographic] [Privacy Advisor]

US – Judge: Ashley Madison Breach Victims Must Use Real Names

Victims of the Ashley Madison data breach wishing to be named plaintiffs in the upcoming litigation will need to use their real names. U.S. District Judge John Ross made the decision, saying fake names should only be used in civil litigations in certain cases. “The disclosure of Plaintiffs’ identities could expose their sensitive personal and financial information — information stolen from Avid when its computer systems were hacked — to public scrutiny and exacerbate the privacy violations underlying their lawsuit,” Ross said. “At the same time, there is a compelling public interest in open court proceedings, particularly in the context of a class action, where a plaintiff seeks to represent a class of consumers who have a personal stake in the case and a heightened interest in knowing who purports to represent their interests in the litigation.” Victims have until June 3 to join the class. [Ars Technica]

WW – More than 1 Million Facebook Users Access via TOR Network

It seems that every few weeks or so, a new study about how the dark web is mostly vile and mostly harbors criminals crops up. The majority of people, in fact, would be pretty OK about it were the dark web to be padlocked, according to a recent survey. The battle over anonymizing technologies – encryption and the Tor network that the dark web runs on – is a polemic issue: it often boils down to a simplistic battle between the advocates of innocent individuals’ privacy rights (and of security that isn’t weakened via backdoors) vs. the shielding of criminals. On one side of the argument, Tor is used by whistleblowers, human rights activists, journalists and others to protect their identities. On the other side: it’s also used by people shielding their activities around cybercrime, drugs, illegitimate porn and violent extremism. As it turns out, a large number of people who want to use Facebook secretly without revealing their identities fall into the “legitimate use” side of the battle. Facebook said on Friday that over a million people accessed Facebook through the Tor network this month. That’s up from the 525,000 people who were coming in over Tor over a 30-day period last June, and it follows two years of work to enable people to find the social network on Tor. [Source]

Internet / WWW

WW – Google Beefs Up Chrome Web Store User Data Policy

Google has made changes to the Chrome Web Store User Data Policy to protect users from data theft. Third-party developers must encrypt personal data that they transmit. The revised policy also requires developers to create and publish a privacy policy explaining which data they collect and how it is used. [Register] [Google]

Law Enforcement

CA – Surrey’s License Plate-Scanning & 300 Traffic Cameras Remain Limited

Although the RCMP have now been given 24-hour access to Surrey’s 300 traffic cameras in the fight against gang violence, there is a line Mounties are not attempting to cross. They aren’t proposing to use the 330 city intersection cameras to rapidly scan licence plates and check drivers against policing databases, as now happens with the Automated Licence Plate Recognition (ALPR) system on use on about 40 police cars in B.C. In theory, a stationary system of cameras integrated with ALPR could act as a surveillance network, tracking the movements of known gangsters or quickly identifying suspect vehicles fleeing the scene of a shooting – if that was allowed here as it is in the U.K. “That’s not what exists here in British Columbia or anywhere else in Canada,” RCMP Dep. Commissioner Craig Callens said, giving a short answer of “no” when asked if such a London-style system is being pursued. “I have not been involved in any discussions to this point,” he told Black Press. “And I think to do so would require some considerable consultation with the provincial privacy commissioner.” A University of the Fraser Valley study in 2015 suggested much more could be done with the licence-scanning system to tackle more serious crime. “ALPR is not being used in Surrey to its full potential,” according to the report by UFV criminologists. In other jurisdictions, they noted, the second most common use is for crime intelligence – using ALPR equipped vehicles to patrol high-crime areas to run plates, collect data and identify and track potential suspects. [Source]


US – Support Increases for Legislation to Halt Government Location Tracking

The House Judiciary Committee may consider halting the government’s ability to track citizens’ locations via their cellphones without a warrant sooner rather than later. During its meeting on the Email Privacy Act last week, Chairman Bob Goodlatte, R-Va., said he wants to hold a meeting on how the committee is dedicated to safeguarding geolocation data when the next Congress commences. Goodlatte’s stance is drawing praise from both sides of the aisle and has been compared to legislation from Rep. Zoe Lofgren, D-Calif., requiring the government to seek a warrant in order to intercept or request geolocation data from any citizen. Goodlatte has the support of privacy advocates including Sen. Ron Wyden, D-Ore., who believe location tracking to be a prominent issue to be addressed in the widespread surveillance debate. [Morning Consult]

Privacy (US)

UK – Supreme Court Believes IT Progress Make Privacy Laws ‘Unenforceable’

Lord Neuberger, president of the UK Supreme Court, expressed skepticism about the overall effectiveness of privacy laws, claiming such orders are “unenforceable.” Delivering his opinions in front of lawyers in Edinburgh, Neuberger believes gains in technology have made it impossible to properly enforce privacy laws, and developments in IT have greatly increased the tensions between personal privacy and freedom of expression. “The existence of the Internet inevitably affects what can be practically achieved in terms of enforcement of privacy, and the law should never seek to acknowledge or enforce rights which are in practice unenforceable,” Neuberger said. [Daily Mail]

US – Legislators Lack Unbiased Scientific and Technical Advice

Budget cuts more than twenty years ago eliminated the US Office of Technology Assessment (OTA), which provided legislators with unbiased scientific and technological information. Former congressman Rush Holt, a trained research physicist, tried to bring OTA back, but did not succeed. He noted, “Most members of Congress don’t know enough about science and technology to know what questions to ask, and so they don’t know what answers they’re missing.” [Wired]


US – DHS Red Teams Conduct Penetration Tests on Government Agencies

The US Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) has conducted penetration tests on three unnamed US government civilian agencies. The red teams were able to “own those agencies from top to bottom and side-to-side.” NCCIC now plans to help those agencies fix their network weaknesses. The agencies will also have help developing internal cybersecurity talent so they can continue to conduct similar assessments more frequently. [Source]

US – More Bad News for NASA Cybersecurity

Two more reports have found serious cybersecurity problems at NASA. The agency’s inspector general found that NASA needs to improve continuous monitoring management, configuration management, and risk management. And a private security company, Security Scorecard, ranked NASA last among 600 federal, state, and local government agencies surveyed in its report. Security Scorecard found that NASA had issues with secure sockets layer (SSL) certificates, unsecure open ports, and misconfigured email sender policy frameworks. [Source] [NASA IG Report]

WW – 93 Million Mexican Voter Records Exposed on Cloud

A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken out of the cloud and offline. The database sat exposed to the public for at least eight days after its discovery by a researcher, but originally went public in September 2015. The security researcher discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon’s AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter’s name, address, voter ID number, date of birth, the names of their parents, occupation, and more.

Eventually, after a speaking engagement at Harvard University’s Center for Government and International Studies, the researcher was able to reach someone the Mexican Instituto Nacional Electoral (INE). The database was pulled offline earlier this morning. Given that the database has been online since September 2015, it isn’t clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown. Mexico has strict laws regarding the usage and access of voter information, and the last time such records were in the hands of a company in the U.S., it became an international incident. “Under Mexican law this data is strictly confidential, carrying a penalty of up to 12 years in prison for transfer or extraction for personal gain. The Mexican Elections Commissioner has confirmed that the database is authentic. The data is now secured but the real question is who else had access to this sensitive information, and who put it on a US-based Amazon cloud server?” he said in a brief statement. [Source] [Hacker discovers information on nearly all Mexican registered voters]

EU – Security Frameworks – EDPS Details Components of Information Security Risk Management Process

The European Data Protection Supervisor has released a guidance document on Information Security Risk Management practices in support of requirements found in Article 22 of Regulation 45/2001. Key steps include establishing a company’s context (collecting relevant information, defining scope, assigning roles), identification and assessment of risks, deciding on responses, management sign-off of residual risks, and ongoing monitoring of risks as well as the process itself. [European Data Protection Supervisor – Guidance – Security Measures for Personal Data Processing – Article 22 of Regulation 45/2001]


US – Federal Appeals Court Says Warrant Not Needed for Stingray Use

The 6th US Circuit Court of Appeals has agreed with the federal government that a warrant is not necessary when using cell-site location technology like Stingrays. The majority of federal appeals court rulings share this position; the only federal appeals court that sided against has agreed to rehear the case, so the opinion has been set aside. The issue is unlikely to head to the Supreme Court anytime soon unless more federal appeals courts disagree with the government. [Ars Technica]

UK – Surveillance Bill Would Require Government Vetting of New Communications Technology

Draft surveillance legislation in the UK would require technology and telecommunications companies to run new products, services, and features by the government prior to their release, to ensure that they provide capability for the government to intercept communications or access stored data. [ZDNet] Privacy International has flagged a provision in the U.K.’s draft Investigatory Powers Bill that would mandate tech firms like Google and Apple to inform spies when their technologies were to be upgraded.

UK – Documents Reveal British Intelligence Agencies Collecting Bulk Personal Data Since 1990s

A collection of more than 100 documents reveals how British intelligence agencies, including MI5, MI6 and GCHQ, have been collecting bulk personal data in secret since the late 1990s. The documents show how the agencies have been stockpiling the data, which includes travel records, financial data and communications information, for longer than previously divulged. The internal memos also reveal how the agencies gathered information on individuals who are “unlikely to be of intelligence or security interest.” Other revelations include continuous issues intelligence agencies face regarding data handling errors, resulting in the disciplining of two MI5 and three MI6 agents between 2014 and 2016 for mishandling bulk personal data, while a GCHQ staff member was fired for unauthorized searches. [Guardian]

CA – Saskatchewan OIPC Issues Best Practices on Public Surveillance

The OIPC SK has provided guidance on video surveillance of public areas, aimed at public bodies who may be subject to:

Images of individuals are personal information under privacy legislation; public bodies deploying CCTV cameras (or similar) should consider the following – confirming that the collection is necessary and lawful (i.e., proper authority under the law), minimizing impact on personal privacy (avoid washrooms, post notices that the area is under surveillance), conducting a PIA, and ongoing audit and review of the program. [Video Surveillance Guidelines for Public Bodies – OIPC SK]

Telecom / TV

US – 60 Minutes Segment Demonstrates Ease of Tracking Smartphones

US television investigative news magazine 60 Minutes ran a segment showing just how vulnerable smartphones are to tracking and eavesdropping. US Senator Ted Lieu (D-California) participated in the demonstration. Using just the 10-digit number associated with the smartphone, Security Research Labs’ Karsten Nohl was able to record calls made to and from the device and track its precise location. Nohl exploited a weakness in the Signaling System No. 7 (SS7) routing protocol to access the phone Lieu was using. [Ars Technica] [ComputerWorld] [The Register] [The Hill]

US – FCC to Examine Mobile Network Security

Following a 60 Minutes television news magazine segment that demonstrated a vulnerability that could be exploited to eavesdrop on phone calls, the head of the US Federal Communications Commission’s (FCC) Public Safety Bureau has directed his staff to look into the Signal System 7 (SS7) vulnerability. [SC Magazine] [The Hill]

AU – 60 Minutes Australia Covered SS7 Vulnerability Last Year

The SS7 vulnerability was demonstrated last year on a segment for Australia’s 60 Minutes program, which also noted that a relatively inexpensive and readily obtainable device known as an IMSI catcher, or cell-site simulator, could be used to conduct man-in-the-middle attacks against cellphones. [YouTube] [NDTV]

CA – BC Appeals Court Affirms Its Position on Text Message Privacy

On April 11th, the BC Court of Appeal held that a defendant convicted of internet luring and sexual touching of a minor had a reasonable expectation of privacy in direct messages he sent to the complainant and others via a social media platform. The trial judge had found no such expectation – a finding that rested in part on the nature of the messages. The trial judge held that the messages contained no personal information that the defendant had not posted in his public profile and were not sent to an intimate, trustworthy contact. The Court of Appeal viewed the messages differently – as “flirtatious” – and held that the trial judge rested too heavily on the “risk analysis” that characterizes American Fourth Amendment law. It reasoned: While recognizing that electronic surveillance is a particularly serious invasion of privacy, the reasoning is of assistance in this case. Millions, if not billions, of emails and “messages” are sent and received each day all over the world. Email has become the primary method of communication. When an email is sent, one knows it can be forwarded with ease, printed and circulated, or given to the authorities by the recipient. But it does not follow, in my view, that the sender is deprived of all reasonable expectation of privacy. To find that is the case would permit the authorities to seize emails, without prior judicial authorization, from recipients to investigate crime or simply satisfy their curiosity. The analogy between seizing emails and surreptitious recordings [as considered by the Supreme Court of Canada in R v Duarte] is valid to this extent. In the end, the Court found a breach of section 8 but held the evidence was after conducting its section 24(2) analysis. The Court’s reasonable expectation of privacy finding follows its earlier similar finding in R v Peluco. For the context see this Law Times article. [BCCA affirms its position on text message privacy]

US Government Programs

US – U.S. Administration Refuses Information About Spying On Americans

A group of lawmakers from both parties are unhappy that they are being asked to reauthorize two key surveillance programs without the Obama executive branch answering how much data is being gathered on innocent Americans. The two programs authorized by Section 702 of the Foreign Intelligence Surveillance Act, are PRISM and Upstream. PRISM is a clandestine surveillance program under which the US NSA collects internet communications from at least nine major US internet companies. Since 2001 the US government has increased its scope for such surveillance, and so this program was launched in 2007. The major companies include Facebook, Yahoo, and Skype. Upstream collection involves four different surveillance programs: In a Foreign Intelligence Surveillance Court (FISC) order from October 3, 2011, it’s said that the Upstream collection accounts for approximately 9% of the total number of 250 million internet communications which NSA collects under the authority of section 702 FAA every year. During the first half of 2011, NSA acquired some 13.25 million internet communications through Upstream collection. “The program is unable to exclude domestic communications due to technical difficulties. The government refuses to tell politicians how much data is collected from Americans. Fourteen members of the House Judiciary Committee sent a letter to James Clapper, the Director of National Intelligence, asking for at least a rough estimate of the number. The letter said: “In order that we may properly evaluate these programs, we write to ask that you provide us with a public estimate of the number of communications or transactions involving United States persons subject to Section 702 surveillance on an annual basis.” Senator Rony Wyden has been asking for the number since 2011. The Privacy and Civil Liberties Oversight Board also asked in 2014. More than 30 privacy groups have also asked for the number. [Source] [Clapper: ‘We’ll do our best’ to figure out surveillance numbers]

US Legislation

US – Legislative News Roundup

Workplace Privacy

CA – Employee Privacy: Ontario Arbitration Board Rules that Employer’s Search of Employee’s Personal USB Key Did Not Infringe Charter Rights

An arbitration board heard a termination complaint filed by a union for federal employees against an Ontario government ministry. A supervisor was permitted by a management rights clause in the collective agreement to search the lost USB key (which was reported to contain employer documents) for evidence of employee misconduct. Any Charter-infringing conduct was minor; some degree of intrusion into personal documents was inevitable because the key was used for both personal and work purposes. [Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v. The Crown in Right of Ontario (Ministry of Government and Consumer Services) – 2016 CanLII 17002 – The Grievance Settlement Board, Ontario]

CA – ONSC Affirms Damages Award for “Friend’s” Leak of Work Schedule

On April 8th, the Ontario Superior Court of Justice affirmed a $1,500 damages award for a privacy breach that entailed the disclosure of information that the defendant received because she was the plaintiff’s social media friend. The plaintiff and defendant were pilots who worked for the same airline. The plaintiff shared his work schedule with the defendant though an application that allowed him to share his information with “friends” for the purpose of mitigating the demands of travel. The airline also maintained a website that made similar information available to employees. The defendant obtained the schedule information through one or both of these sites and shared it with the plaintiff’s estranged wife. Among the issues raised in this scenario: Is a work schedule, in this context, personal information? Does one have an expectation of privacy in information shared in this context? Does the intrusion upon seclusion tort proscribe a disclosure of personal information? The appeal judgement is rather bottom line. In finding the plaintiff had a protectable privacy interest, the Court drew significance from the airline’s employee privacy policy. [Source]



9-18 April 2016


WW – Fingerprint Identification Technology Expanding Beyond Smartphones

Biometric fingerprint technology has surged in popularity among smartphone users, and now companies are looking to bring the technology to new places. Credit card use, rail commuting and entrances to buildings could be the next wave of opportunities to implement fingerprint identification. Specifically, Sweden’s Fingerprint Cards, already leading the market for fingerprint identification sensors in smartphones, believes biometric smart cards could be its most rapidly expanding market by 2018. Security advocates praise fingerprint identification as a superior alternative to pin codes, and the market for the technology continues to grow, with many companies jumping into the business. [Reuters]

WW – Russian Photographer’s Project Shows Ease of Finding People Online

A Russian photographer’s project looks to show how an individual’s private life is becoming less and less private. Egor Tsvetkov created an experiment titled “Your face is big data,” where he took pictures of nearly 100 people sitting across from him on the subway, then used the facial-recognition app FindFace to discover them on VK, a Russian social media site. Tsvetkov located about 60 to 70% of the people he photographed who were between 18 and 35 years old. [PCWorld]

US – Shutterfly Settles Facial Recognition Lawsuit

An undisclosed settlement has been reached between Shutterfly and an Illinois man who brought a lawsuit against the photo-sharing website, claiming the company violated his privacy. Brian Norberg alleged Shutterfly used facial recognition software to identify his face, which ended up in the company’s database after a friend tagged him in a photo in February 2015. Norberg’s suit said Shutterfly analyzed the details of his face and offered other photos he should be tagged in, which the suit asserts violates Norberg’s rights under the Illinois Biometric Information Privacy Act. “Helping a user re-identify his own friends within his own digital photo album does not violate any law,” Shutterfly countered. Had the lawsuit gone to trial, it could have had repercussions for companies using facial recognition software. [Chicago Tribune]


CA – Nova Scotia to Craft New Cyberbullying Law

The province’s Justice Department says it is working on new cyberbullying legislation to replace the Cyber-safety Act, which was struck down in December by the Nova Scotia Supreme Court. Since then the province has had no law on the books specifically dealing with cyberbullying. Over the next several months the province said it will seek legal expertise to craft a new act that balances the right to freedom of speech with a way to protect the victims of cyberbullying. The earliest new cyberbulling legislation could be introduced is the fall. [Source]


WW – Men and Women Differ in Their Approach to Online Privacy and Security

What do internet users want in terms of security and privacy? What do they do to protect their own privacy and security when they use the internet? Hide My Ass! (HMA) commissioned a nationwide survey to find out. The main results revealed a striking disconnect between what people want and what they do while a deeper look uncovered some intriguing differences between men and women. HMA is a VPN (virtual private network) service provider. VPNs hide an internet user’s identity, location and internet activity by encrypting their data and routing their internet connection through multiple IP addresses and remote servers. HMA summarized the results of their survey with an attractive infographic and a more detailed report. While most people want more internet security and privacy, they do very little to make use of the tools and techniques that are available to give them what they want. The survey found that 70% of consumers say they restrict their level of social media use in order to avoid exposing personal information. However, only 25% enable strict privacy restrictions on the social media platforms they use. Likewise, 67% say they want additional layers of security while only 9% use email encryption programs, 11% use a VPN and 13% use two-factor authorization. [Forbes]

WW – RAND Corporation Examines Consumers’ Reactions to Data Breaches

When a data breach occurs within an organization, how do affected consumers respond? It’s the question the RAND Corporation sought to answer in “a nationally representative survey of the consumer experience” following a data breach. Of their findings, RAND reports 26% of respondents, roughly 64 million adults in the U.S., received a breach notification in the 12-month period before the survey, with 44% of those individuals saying they were already aware of the attack from sources other than the affected company. Free credit monitoring was a popular choice among respondents, with 62% of individuals accepting the service. Many were pleased with a company’s reaction to the incidents, with 77 percent reporting high satisfaction with the organization’s post-breach response, and only 11% discontinuing a relationship with the organization following the breach. [Full Story] [Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information]

WW – Firm Releases 2016 Data Breach Litigation Report

Data breach litigation “remains one of the top concerns of general counsel, CEOs and boards alike,” Bryan Cave, a law firm, points out in its latest report on data breach litigation, adding, “there remains a great deal of misinformation reported by the media, the legal press and law firms.” The 2016 Data Breach Litigation Report found a 25% decline in the amount of cases that were filed from its 2015 report. Additionally, when “multiple filings against single defendants” were removed, there were only 21 unique defendants during that 15-month time period, and only 5% of reported data breaches ended up facing class-action litigation. According to the report, such a decline in class actions may derive from an overall decline in reported breaches. [Report]


US – Government Agencies Dead Last in Cybersecurity: Report

The cybersecurity protections at U.S. government agencies — from federal to local levels — ranked dead last compared to 17 other private industries, according to a report from security risk startup SecurityScorecard. SecurityScorecard analyzed the security capabilities of major industries across 10 categories, including weaknesses to malware and rates of password exposure. The security startup examined 35 major government data breaches between April 2015 and April 2016, saying agencies had the worst scores on network security, software patching defects and malware. Among the 600 government entities SecurityScorecard examined, NASA was the worst performer, particularly its susceptibility to email spoofing and malware attacks. Other low ranking agencies included education and telecommunications, while information services, food and construction industries received high marks. For more on the report: here. [Reuters] [Newsweek]


US – House Judiciary Committee Unanimously Approves Email Privacy Act

In a 28-0 vote, the Email Privacy Act has been approved by the House Judiciary Committee. The new bill, created to update the 1986 Electronic Communications Privacy Act, requires law enforcement to obtain a warrant before requesting email providers to hand over a suspect’s electronic communications stored for more than 180 days. The bill is expected to pass through the House, but might face opposition in the Senate, as civil enforcement agencies — including the Securities and Exchange Commission and the FTC — are concerned the bill could hamper civil investigations. [Morning Consult]

Electronic Records

US – 96% of Health Care Organizations Susceptible to Data Threats: Report

The results of the Healthcare Edition of the 2016 Vormetric Data Threat Report revealed 96% of health care organizations feel susceptible to data threats, the organization said in a press release. Findings included 63% of respondents saying they have experienced a data breach, with nearly 20% experiencing one in the last year. Meeting compliance requirements was the top IT security spending priority, coming in at 61%, with data breach prevention “well behind at 40%.” Complexity clocked in at 54% as the toughest barrier to overcome for better adoption of data security, with lack of staff coming in second. [Full Story]

EU Developments

EU – WP29 Refuse to Endorse Privacy Shield Scheme

The Article 29 Working Party (WP29) met in Brussels to discuss the European Commission’s Privacy Shield scheme, the proposed replacement for Safe Harbor. As anticipated, WP29 decided that in their view Privacy Shield does not offer adequate protection. Whilst the decision is not binding on the Commission it will be hard to ignore if Privacy Shield is to be successful, especially since enforcement is still in the hands of the data regulators who sat around the table at WP29 and not in the hands of the Commission. WP29’s position is not a surprise, especially given the rumours coming out of Germany. Some German data protection authorities have had a long-held objection to Safe Harbor and they have been the most aggressive in enforcement since Safe Harbor died (for more on this see our alert here).Amongst WP29’s criticisms are:

  • A lack of clarity over the ombudsman role; and
  • Exceptions allowing the US to still collect European bulk data.

Most companies will have to plan for a world without Safe Harbor or Privacy Shield at least in the short term. They will have to explore alternative solutions including EU model terms and Binding Corporate Rules (BCRs). BCRs are likely to gain momentum and sources close to WP29 tell us that we can expect statements soon from regulators removing some of the existing objections to BCRs. In addition BCRs will gain in use once their statutory status is confirmed by the forthcoming General Data Protection Regulation (GDPR) – there is more on this in our GDPR FAQs here. [The WP29 issues draft adequacy decision] [IAPP GDPR Resources] [Data watchdogs do not endorse the EU-US Privacy Shield as drafted] [WP29 Privacy Shield opinion sparks anxieties for US businesses] The Hill also reported on businesses’ Privacy Shield related fears, and the potential challenges of trying to alert the agreement. [WP29 on Privacy Shield: More work needed]

EU – European Commission Seeks Views on ePrivacy Directive

The European Commission seeks stakeholders’ views on the current text of the ePrivacy Directive as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital area; the consultation is open until July 5, 2016. Learn more

EU – Passenger Name Record Bill Passes

The European Parliament approved the EU Passenger Name Record bill after five years of discussion. The bill will permit federal law enforcement officials to share airline-passenger information, like name and payment data, across national borders for up to five years in an attempt to curb terrorist activity. “It is one all EU governments and indeed the U.S. government have requested as a very important tool to tackling terrorism,” said U.K. MEP Timothy Kirkhope. Critics in the Green Party disagree. “This EU PNR system is a false solution, based on the flawed political obsession with mass surveillance,” said Green MEP and Home Affairs spokesman Jan Philipp Albrecht in a statement. [EUobserver]

UK – CJEU Hears Case on British Data Retention Laws

The EU’s highest court will hear a legal challenge this week concerning the validity of UK data retention laws. In July last year the High Court in London ruled that DRIPA was incompatible with human rights legislation but that decision was appealed by the UK government to the Court of Appeal. The Court of Appeal has asked the CJEU to rule on whether its previous judgment on the Data Retention Directive sets out “mandatory requirements of EU law applicable to a member state’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the EU Charter”. [Source]

EU – Belgian DPA Advises Data Controllers to Have Detailed Cloud Contracts

The Belgian data protection authority issued guidelines for data controllers contracting with cloud service providers regarding compliance with the Data Protection Act. Provisions should include requirements that the provider only process the data upon the controller’s instructions and obtain controller approval for all subcontractors, and a list of the physical locations where the processing takes place for the duration of the contract. [DPA Belgium – Opinion No 10/2016 – Use of Cloud Computing for Data Controllers]

Facts & Stats

CA – Reporting of Government Privacy Breaches Varies Widely

Federal government departments breached the privacy of more than 45,000 Canadians last year but only a small fraction of those breaches were ever reported to Canada’s Privacy Commissioner. Moreover, the proportion of breaches reported to the Privacy Commissioner’s office varied widely from one department to another. For example, while the Justice Department reported 80% of the breaches it discovered, the agency with the largest number of breaches – the Canada Revenue Agency – only revealed less than 1% of its 3,868 breaches to Privacy Commissioner Therrien’s office. While departments are not required to notify Therrien of every breach that occurs, last year he was only notified about 5.3% of the 5,853 privacy breaches discovered by departments. See Chart: Privacy breaches reported to privacy commissioner. [Source] [Document: Order/Address of the House of Commons] [Feds made 5,670 privacy breaches last year; CRA worst offender] [Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Transfer of Information to the United States Internal Revenue Service (IRS) ] [Ottawa open for comments on proposed breach notification regulations]

CA – Half a Billion Identities Were Stolen or Exposed Online in 2015

500 million identities were stolen or exposed online in 2015 according to a report by digital security firm Symantec. The report also revealed that the amount of malware online increased by 36%, with 430 million new pieces of malicious code being created in 2015. Ransomware attacks are also on the increase, with 35% more attacks than the previous year. The UK ranked as the most targeted nation for spear-phishing campaigns that attempt to steal data by targeting employees within a specific organisation. This type of attack increased by 55% in 2015. We’re also beset upon by fake technical support scams and social media fakes, with the UK being the second most targeted nation globally in both categories. Symantec drew particular attention to the increased number of zero-day vulnerabilities in 2015. It identified 54 zero-day vulnerabilities in 2015, the majority of which existed in widely-used pieces of software. Four out of the five most exploited zero-day vulnerabilities were found in Adobe’s much-maligned Flash Player. On average, each data breach exposed more than 1.3 million identities, but Symantec identified nine ‘megabreaches’ – the leaking of over 10 million records in a single attack – in 2015. [Source] [BBC] See also: [The seven types of e-commerce fraud explained]

CA – Hamilton Using Google Maps to Enforce Bylaws

Since 2002, Hamilton city officials have been quietly collecting aerial photographs that allow enforcement staff to investigate breaches of bylaws, especially the requirement that homeowners acquire a building permit before building a deck or some other construction project. Images from past years can be compared to get an idea when a deck, pool or addition was built. If the structure wasn’t there one year, and appeared the next, it means it was built sometime in between. But Jorge Caetano, the manager of plan examination in the city’s building division, says the information is never used to go on fishing expeditions for violators. It’s only consulted after the city receives a complaint. “We use it as a tool. We don’t use it in place of going there in person to investigate, to see the property,” he said. “At this point, we don’t base enforcement on aerial photographs. We would have to go out there physically and inspect the property. We still have to carry out the proper investigation.” He said information from past aerial photographs could be consulted to verify whether a structure has been there for many years and was, say, built by a former owner. A spokesperson from the IPC Ontario said the use of aerial maps would not appear to violate privacy rules: “As defined in Ontario privacy legislation, personal information means recorded information about an identifiable individual. Several IPC decisions have found that information about properties and businesses does not qualify as personal information as it does not reveal something of a personal nature about identifiable individuals.” [Source]


CA – CRA Should Notify People When Their Bank Records are Shared: Therrien

The CRA should automatically notify individuals when it shares their banking information with the U.S. IRS under a controversial information sharing agreement, says Canada’s Privacy Commissioner. Testifying before Parliament’s Access to information, Privacy and Ethics committee Daniel Therrien said there is no reason for the CRA not to advise people when their information is transferred. “Can it be realized? It is certainly an effort but we know that the government wants to facilitate access to data by citizens so it seems to me that would be a move that would fit in that objective.” Therrien said there are likely electronic ways to notify people when the CRA shares their banking information with the U.S. Therrien said he is also concerned that Canada’s banks and the CRA may be over reporting the number of people considered “U.S. persons” under the information sharing agreement. While the CRA originally estimated that the deal it signed would result in it sending 30,000 to 90,000 banking records to the IRS, it ended up sending 155,000 records. [Source]

US – Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording

With most data now stored electronically, businesses are facing new challenges in relation to data retention and keeping it secure and safe. Bespoke cyber insurance policies and, increasingly, data protection coverage as part of a general commercial liability policy will generally cover both first and third party liabilities in the event that anything happens to that data – but how will these policies respond in the face of deliberate or criminal behaviour by an employee who decides to release data to harm either colleagues or the business? As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result. In the absence of specific wording, insurers may be able to reject claims arising out of deliberate data breaches by disaffected employees. .As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result.

CA – Privacy Law Gives Insurers a Boost in the Battle Against Fraud

With amendments to federal privacy laws last year, group benefits providers are facing a host of new consent and disclosure-related obligations that can offer helpful tools or signal potential headaches. Bill S-4, the Digital Privacy Act, came into force in June 2015. It amended PIPEDA to include new provisions around obtaining consent, disclosing information without consent and mandatory breach notification. For group benefits providers, the most positive development is likely the new provision that will help them fight fraud by allowing for increased disclosure of information without consent in certain cases. Before the amendment, insurers had to obtain the consent of anyone they had a contract with before disclosing their personal information even if that person was suspected of involvement in fraudulent activity. Many of the amendments also create consistency with privacy legislation in Alberta and British Columbia. Industry efforts will include helping insurers to consider ways to share claims data in order to identify fraud trends that the association says can be hard to pinpoint when each provider is working independently. [Benefits Canada] See also: [Out-Law: Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording]


US – Microsoft Sues Justice Department over ECPA Gag Orders

Microsoft is suing the Justice Department for its frequent use of gag orders that prevent the company from telling users when the government has obtained a warrant to search their emails. Microsoft claims the gag order statute in the Electronic Communications Privacy Act is unconstitutional and violates both the First and Fourth Amendments. In its suit, Microsoft argues that the government has “exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.” Brad Smith, the company’s top legal advisor, said, “People should not lose their rights just because they are storing their information in the cloud.” The House Judiciary, earlier this week, unanimously passed a bill that would reform parts of the ECPA. [The New York Times] [Microsoft Corporation Delivers a Reality Check to the U.S. Government – Microsoft Corporation Challenges the Government] [Microsoft Sues Justice Department to Protest Electronic Gag Order Statute]

US – Making Records Accessible on the Internet is a “Publication” –Federal Court

A federal appeals court upheld a ruling against insurance firm Travelers Indemnity Company of America, saying, under the terms of a commercial general liability policy, the company should have defended a client in a lawsuit resulting from an electronic data breach. Travelers was found by a three-judge panel in the 4th U.S. Circuit Court of Appeals in Virginia to have failed to prove its two CGL policies with its client, Portal Healthcare Solutions, excluded the defense of a 2013 class-action lawsuit filed when Portal publicly posted the records of Glens Falls Hospital patients. The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” The ruling goes against decisions in Connecticut and New York where CGL policies were determined not to cover damages from cyberattacks. “I think it’s a shocker to CGL insurers to see a decision like this,” said a research analyst. “CGL insurers don’t really think that they should be on the hook for this type of claim. They see this as a cyber and privacy claim, not a general liability claim.” [SC Magazine] [Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016)] [Source] [Court Opinion] [Appeal] [Federal Court Rules CGL Insurance Covers Data Breach] [4th Circuit affirms Travelers v. Portal Healthcare breach decision]

CA – BC Judge Calls for Restrictions on Court Database Searches

Thomas Crabtree, Chief Judge of the BC Provincial Court, wants restrictions placed upon searches for individuals who were ultimately not convicted of a crime. Crabtree declared a consultation regarding Court Services Online, an online database providing access to criminal records in the Provincial Court. Crabtree believes individuals who weren’t convicted of a crime should not be stigmatized, and cases ending in acquittals, dismissals and withdrawals will only be available in the database in the 30 days after the information is entered. Media outlets are displeased, believing court records should be fully open. “On balance, the need to protect individuals who have not been convicted from misuse of court record information outweighs the desirability of broad online public access to information about such cases and the individuals affected,” Crabtree wrote in a statement. [The Globe and Mail]

US – NSA appoints First Transparency Officer

The National Security Agency has appointed current Civil Liberties and Privacy Director Rebecca Richards as its first ever transparency officer. An NSA announcement states her dual role “complements ongoing initiatives to ensure that NSA has the best civil liberties and privacy practices.” The new role will serve under the Office of the Director of National Intelligence’s Intelligence Transparency Council, which aims to make “information publicly available in a way that enhances understanding of intelligence activities, while continuing to protect information when disclosure would harm national security.” [The Washington Times]

Health / Medical

CA – GPEN Launches 2016 “Internet of Things” Global Privacy Sweep

The Global Privacy Enforcement Network will focus their 2016 Global Privacy Sweep around the Internet of Things. The group, made up of data protection authorities from around the world, including the IPC, will specifically look into the accountability practices of IoT companies during this year’s Sweep. Regulators participating in the event — taking place April 11 through 15 — will examine the privacy practices of various devices, ranging from wearables to smart TVs. The OPC says it will investigate health devices. The IPC is surveying two dozen class 2 medical devices available for sale in Ontario. DPAs will have the flexibility to focus on actual products taken right off the shelf, by investigating statements on company websites, or by directly connecting with a manufacturer. [Office of the Privacy Commissioner of Canada] [Privacy watchdog to study impact of personal Internet devices]

UK – 15,000 Expectant Parents’ Info Compromised

The personal information of more than 15,000 expectant parents was compromised after hackers breached the National Childbirth Trust. The NCT alerted users of the breach, which exposed information including email addresses, usernames and encrypted passwords. No sensitive personal or financial information was accessed in the incident. The cyberattack has been reported to both the police and the U.K.’s data protection authority. A spokesman for the NCT said the organization reached out to affected individuals, advising them to change their usernames and passwords. NCT also posted information on their Facebook page about the hack, while also sending a message on social media telling users their website may face further disruptions. [The Telegraph]

Horror Stories

US – FDIC Breach of 44,000 Customers Caused by Storage Device

A former employee of the Federal Deposit Insurance Corp. (FDIC) departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. A former FDIC employee departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. While FDIC Chairman Martin J. Gruenberg said in a March 18 memo that the data was downloaded to the storage device “inadvertently and without malicious intent,” the device included customer names, addresses and Social Security numbers, according to a media report. The former employee signed an affidavit indicating the breached information was not used, the representative noted. [Source]

Identity Issues

CA – BC Law Firm’s Request for ID is Contrary to PIPA

The BC OIPC mediated a complaint from an individual who was asked to produce identification during a free initial consultation with a law firm. PIPA prohibits businesses from collecting more information than is required (a law firm requested ID from a potential client to comply with money laundering legislation, however confirmed that the law society did not require this collection when providing free services). [Potential Client Questions Law Firm Demand for Identification (P16-06-MS)]

CA – CAI PQ Reminds Landlords They May Only Collect Limited Contact and Credit Related Information from Prospective Tenants

The Commission d’accès à l’information du Québec issued reminders to landlords regarding privacy issues in light of July 1st, the traditional “moving day” in Quebec. A landlord may request a prospective tenant’s name and current full address, may ask to see ID, collect the name of a previous landlord, and perform a credit check (with tenant consent); the landlord may not collect data from a health card, driver’s license or passport, and should not request a SIN, employment or salary information, car details (e.g. brand, colour, or license plate number), or details of the tenant’s financial institution. [CAI PQ – Leases and Personal Privacy Principles and Guidelines To Be Respected]

Internet / WWW

WW – New Guidelines Help Cloud Providers Handle Data Breaches

Technology law specialist Bryan Tan discusses new guidelines in Singapore designed to help cloud providers and their business clients handle data breaches while following the country’s data protection regime. According to the new guidelines released by the Infocomm Development Authority of Singapore, the cloud outage incident response rules “are not meant to resolve issues due to cybersecurity, malicious act or breach of personal data protection laws.” The cloud outage incident response, or COIR, guidelines explain how the standards work with Singapore’s Personal Data Protection Act when a data breach occurs, discussing security arrangements to protect personal data, and ensuring security measures are compliant with the PDPA. COIR advises cloud providers on assessing and planning for outages, encouraging for response plans for any incidents, while also structuring the severity of the attacks into a four-tier system. [Full Story]

WW – Box to Let Overseas Customers Store Files Locally in Privacy Bid

Box is trying to lure international customers, offering overseas clients concerned about privacy the option to store information locally in cloud datacenters belonging to Inc. or IBM Corp. Starting in May, Box Zones will give customers the choice of locating their files in Germany, Ireland, Japan, and Singapore. The company plans to add more regions in the future, said CEO Aaron Levie, and is looking at further choices in Europe and Asia as well as adding Australia and Latin America. Customers, particularly in some parts of Europe and South America, face laws that require certain types of data to be stored in their country or have strong preferences for that. Storage closer to the customer can also speed up computing. Box runs data centers in the U.S. but didn’t want to incur the costs of building out internationally to attract these customers, and it’s cheaper to pay Amazon and IBM to use their facilities, Levie said. [Source]

Law Enforcement

CA – Report: Canadian Police Have Had BlackBerry Encryption Key Since 2010

The Royal Canadian Mounted Police (RCMP) have had a key to access encrypted BlackBerry messages since 2010, a joint report from Vice News and Motherboard found. According to the report, the RCMP first obtained the key in 2010 as part of an investigation into a series of violent crimes committed between 2010 and 2012. The investigation, dubbed Project CLEMENZA, resulted in the take down of two Italian-based organized crime cells in June 2014. Over the course of the investigation, the RCMP said it read more than one million private messages sent by members of the cell using a PIN to PIN interception technique. The RCMP said the investigation was the first time the encryption-breaking technique was used on such a large scale in a major investigation in North America. Court documents obtained by Vice Canada show the RCMP has a server in Ottawa – called the “Blackberry interception and processing system” – that cracks messages by simulating a mobile device that receives messages as though it were the intended recipient. The documents cite the RCMP’s use of the “correct global key” in decrypting the messages, though the documents do not specify how police obtained the key. [WirelessWeek] [Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages]

EU – Danish DPA Finds License Plate Information Retained Longer Than Necessary

The Data Protection Authority in Denmark investigated the processing of personal data by a parking lot company pursuant to the Act on Processing of Personal Data. The company retained license plate information on individuals for 15 months (for those exiting within the free parking period), and 5 years (for individuals that made correct payments, and those that did not pay); information for individuals not required to pay and individuals that have provided correct payment should be deleted without delay, and information for individuals that have not paid should be retained until a payment is made or a claim has been settled. [DPA Denmark – File No. 2015-631-0122 – Registration of License Plates in Parking]

CA – Chatham PD Registry of “Vulnerable” People 10% of Population

The Chatham-Kent Police Service is creating a registry of people considered to be vulnerable, through a voluntary online registry service. Data available to police would be submitted by a legal guardian or caregiver to be used by police should they need to interact with or search for them. Chief Gary Conn said the Vulnerable Persons Registry will be implemented with the service through a new online program they purchased called COP Logic. “In two to three weeks it will be soft-launched, so probably at the end of April or beginning of May,” said Conn, who also called the registry, “another investigative tool in our tool kit.” Conn added, “The advantages of the system are pretty self-evident.” He said the information in the vulnerable persons registry could be used, for example, if someone goes missing. If that person’s profile shows they have an attraction to certain places, it could mean finding them more quickly. People who may benefit from listed with the registry would include those who wander, have an inability to communicate, have fascinations or attractions to places of possible danger such as water or construction sites, or who have social responses such as aggression or fear of the police. When police receive a call involving a registered person or flagged address, the responding officers are notified and given the information contained in the registry to help them in responding more effectively to the situation. Acknowledging that the definition of “vulnerable” is a broad one, Conn said up to about 10,000 people in Chatham-Kent – nearly one-10th of the entire population – might meet the mandate of the definition. The information that will be contained in the registry will be treated as confidential by officers, subject to the Personal Health Information Protection Act, and will be used when responding to incidents or investigations involving the registered person. [Source]

Online Privacy

WW – Study: Shortened URLs Not As Private As You Think

In a paper released April 14, researchers at Cornell Tech outlined how Google,, and Microsoft’s shortened URLs can be “brute-forced” by hackers to access and manipulate so-called “private” sites. “With a decent number of machines you can scan the entire space,” said Cornell Tech’s Vitaly Shmatikov. “You just randomly generate the URLs and see what’s behind them.” Once the process is complete, “online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone,” the researchers said in their report. “This leads to serious security and privacy vulnerabilities.” [Wired]

WW – Google Unveils Privacy-Protective Beacon

Seeking an answer to Apple’s iBeacon, Google released new information on its open-source beacon format Eddystone. Eddystone has four different frame types, one for identifying other beacons, a second to send URLs to other devices, and a third that sends diagnostic data on a user’s phone. The fourth option, the Ephemeral Identifiers mode, offers a secure connection between the beacon and user. The EID is the only format to keep device information private and can be used to act as a Bluetooth tracker to locate various objects, like car keys. No identifiable or traceable information is available outside the connection as EIDs are equipped with a constantly changing identifier that alters the beacon ID — anywhere from a couple of seconds to hours at a time — making it difficult for third parties to capture any usable information. [Ars Technica]

WW – How Should Crowdfunding Platforms Deal With Privacy?

Crowdfunding has seen explosive growth, both domestically and globally, in the past few years. As the industry continues to mature, U.S.-based crowdfunding platforms are beginning to find that privacy considerations deeply impact their business. Aside from the usual considerations facing traditional financial service companies, crowdfunding platforms must be conscientious in the type of borrower or sponsor data they choose to display to investors on their website. Depending on the particular measures employed to protect the individual’s identity, the website may end up publishing very sensitive information in violation of strong public policies in favor of identity protection. [Privacy Advisor]

US – NAI Members’ Privacy Practices Up to Snuff: Study

The Network Advertising Initiative published its 2015 Annual Compliance Report, compiled by NAI Counsel and Director of Compliance Anthony Matyjaszewski. The report studied its “members’ adherence to the NAI Code of Conduct,” and found NAI members “­met their obligations under the provisions of the code and demonstrated their commitment to consumer privacy and industry best practices.” The NAI’s Noga Rosenthal said, “NAI is set apart in the industry by its high standards for Internet­-Based Advertising and related business models, and our robust monitoring program that ensures compliance with these standards. The 2015 Compliance Report shows that member companies continue to take their obligations under the code seriously.” [Network Advertising Initiative]

WW – As Friend Network Grows, Facebook Sharing Decreases

Facebook is trying to combat a growing lack of “personal sharing” that occurs as social media users’ friend groups increase and a sense of online intimacy diminishes. The trend of sharing news articles instead of personal status updates has led to what insiders dub a “context collapse,” with “original sharing” of personal anecdotes down 21% since mid-2015, the report states. Instead, users are employing outlets like Instagram and Snapchat to share, where their audience is comparatively small. Facebook’s newer “On This Day” feature is an attempt to combat the trend, the report adds. Meanwhile, a forthcoming Chrome extension, “Data Selfie,” will let users see their data profile as Facebook and other advertisers do, Motherboard reports. [Bloomberg Technology]

Privacy (US)

US – FTC Accepting Research Proposals for 2016 Events

The FTC is accepting proposals via public comment from privacy researchers for its upcoming PrivacyCon and Fall Technology Series events. The FTC’s 2016 focus is on research papers that “quantify consumers’ privacy and security interests, discuss attack trends and responses, and describe research on transparency and control,” the report states. “It is extremely valuable for us to hear from privacy and security researchers about their work,” the report continues. “This helps us stay up-to-date with technology and identify potential areas for investigation and enforcement.” The FTC will accept PrivacyCon submissions until Oct. 3. [Source]

US – Uber to Pay Up To $25M in Driver Background Checks Lawsuit

Uber has settled a civil lawsuit with the district attorneys of L.A. and San Francisco over claims the company deceived customers on its safety practices and driver background checks. In papers filed in a U.S. District Court, Uber will pay $5 million to each of the district attorneys and faces an additional $15 million fine if the terms of the settlement aren’t met within two years. Additionally, the safety-related language Uber uses around the ride fees must be reworded. The lawsuit claimed Uber overstated safety measures used to screen drivers, only requiring a driver pass a background check carried out by a third-party service. [The New York Times]

US – Lawsuit: Seattle Compost Ordinance Is Rotten

A Seattle ordinance that bars people from throwing their coffee grounds, pizza scraps and other potential compost into their trash cans is being challenged by critics who say the liberal city is turning garbage collectors into trash investigators. A group of homeowners has sued the city over the tactic, claiming it violates privacy protections provided by the state Constitution. The rule that went into effect early last year requires trash collectors to tag garbage cans that contain more than 10% compostable material with educational information. The tactic is projected to divert as much as 38,000 tons of extra food waste from a landfill every year. Several other cities have passed similar food waste laws, including Vancouver, B.C., San Francisco and Portland, Oregon. Lawyers for the homeowners cited a case that was argued in front of the Washington Supreme Court in which Port Townsend police searched a man’s garbage for evidence that he was selling drugs after the trash was placed on a curb. The court ruled police needed a warrant to search the rubbish, even if it was in plain view near the sidewalk. Homeowners also presented an affidavit from someone claiming they were tagged for compost violations twice when their trash had been secured in black plastic bags, suggesting collectors opened the bags to search for compost. [Source]

US – Uber has Given US Agencies Data on More than 12 Million Users

Uber has released its first ever transparency report. More than 12 million riders and drivers were affected by regulators’ data demands between July and December 2015. The fact that regulators are doing the demanding is what makes the number so big. Uber’s the first company, it claims, to include regulatory requests. Uber says the reason it’s including regulatory requests is that its business is “different.” Besides regulatory data, Uber provided data on 469 users to state and federal law agencies. The agencies requested information on trips, trip requests, pickup and dropoff areas, fares, vehicles, and drivers. It got 415 requests from law enforcement agencies, the bulk of which came from state governments. It produced data in nearly 85% of these cases. Uber used the transparency report release to push back against regulatory agencies that it thinks could compromise users’ privacy by going after more data than necessary. From the Medium post: In many cases they send blanket requests without explaining why the information is needed, or how it will be used. And while this kind of trip data doesn’t include personal information, it can reveal patterns of behavior  –  and is more than regulators need to do their jobs.It’s why Uber frequently tries to narrow the scope of these demands, though our efforts are typically rebuffed. This isn’t the first time Uber has wrangled with the California Public Utilities Commission (CPUC) over rider and driver data. In January, the CPUC fined Uber $7.6 million for failing to meet data reporting requirements in 2014. The CPUC was after data about accessible cars, the number of rides requested and accepted per ZIP code, and driver safety information. [Source]


UK – Brits Suffer More than 2,000 Ransomware Attacks Each Day

DON’T PANIC but the amount of cyber crime bashing the UK is increasing, at least according to Symantec and one of its regular round robin threat missives. The Symantec 2016 Internet Security Threat Report warned that threats are rising in several areas. The firm logged an international increase of 35% in crypto-ransomware attacks, the UK taking the third largest chunk with up to 2,215 attacks a day. Some of the best advice from the security community is to use strong passwords, a suggestion Symantec makes in its summaries and guidance information. The security firm said that the enemy is now more organised than ever before, and that most groups have the same kind of resources, skills and support as nation-state hacker groups. “ [The Inquirer]

Smart Cars / IoT

US – NTIA Begins Internet of Things Consultation

The National Telecommunications and Information Administration (“NTIA”) has initiated an inquiry regarding the Internet of Things (IoT) to review the current technological and policy landscape; NTIA is seeking input from interested stakeholders on the potential benefits and challenges of these technologies and what role, if any, government should play – comments are due before May 23, 2016. [Source]


CA – RCMP Being Investigated Over Controversial Spy Tech

An OPC spokesperson confirmed that it has opened an investigation into the RCMP’s use of IMSI catchers, or “StingRays.” These devices are essentially fake cell phone towers that force phones in the vicinity to connect and reveal identifying information. The use of such devices has been the topic of much heated discussion and public debate in the US. The Florida Supreme Court ruled that the warrantless use of StingRays by police is unconstitutional in 2014. StingRays are controversial because they target devices within a certain area, and thus risk violating the privacy of innocents. A leaked email from Correctional Services Canada last year indicated that an unnamed, StingRay-like device was installed in an Ontario prison to monitor inmate communications, but also caught innocent people outside the facility in the dragnet. “These are fundamentally tools of mass surveillance,” said David Christopher of OpenMedia, the organization that filed the privacy complaint that spurred OPC’s investigation. Canadian police have been extraordinarily unforthcoming when it comes to the use of IMSI catchers, or StingRays. Last month, seven men accused in a Quebec court case relating to a mafia slaying pleaded guilty, but not before the RCMP was forced to reveal in open court that they had used a so-called “mobile device identifier”—the RCMP’s term for IMSI catchers—in the course of their investigation. The end of the case meant that the RCMP will reveal no more information about its use of IMSI catchers in court. In BC, Vancouver police are embroiled in a public battle to keep the details of their use of IMSI catchers secret. [Source] See also: [Feds back RCMP secrecy on possible use of ‘stingrays’ for surveillance] [Privacy watchdog to investigate RCMP over alleged ‘stingray’ cellphone surveillance]

US – Bill Permits Government Use of Automatic License Plate Reader Systems

HB 93, An Act to Amend Article 1 of Chapter 1 of Title 40 of the Official Code of Georgia, has passed the House and is tabled in the Senate. Law enforcement agencies are permitted to store (immediately upon collection) and exchange license plate data; the data cannot be accessed except for a law enforcement purpose, must be destroyed no later than 1 year after collection, and policies and procedures for use and operation of an automated license plate recognition system must be maintained. [HB 93 – An Act to Amend the Georgia Code to Prohibit Law Enforcement from Retaining License Plate Data Obtained from License Plate Recognition Systems]

Telecom / TV

US – California Says No to Phone Decryption Bill

A California bill that aimed to punish companies for making smartphones that can’t be cracked has failed. The bill, introduced by assembly member Jim Cooper was introduced in January and required any smartphone sold in California to have the ability to be decrypted. It was “rejected without a vote,” the report states. “The bill, both before and after it was amended, posed a serious threat to smartphone security,” said Rainey Reitman of the Electronic Frontier Foundation. “It would have forced companies to dedicate resources to finding ways to defeat their own encryption or insert backdoors to facilitate decryption.” [ZDNet]

WW — Google Changes App Developer Rules

Aiming to improve privacy and mitigate risk, Google has released a new set of users’ data policy rules for its Chrome Web Store. Developers will be required to publish a privacy policy and use encryption for sensitive or personal information, the report states. And if sensitive data is being collected for a reason that isn’t directly related to an app feature, a prominent disclosure is required, separate from the privacy policy. The change comes following the passage of the GDPR, which requires “clear and affirmative consent” when processing personal data, the report states. Google says developers have until July 14 to makes the necessary changes to comply. [ZDNet]

US Government Programs

US – Privacy Orgs Encourage FCC to Ignore Comment Extension Requests

The Center for Digital Democracy, Electronic Privacy Information Privacy, and eight additional agencies have asked the FCC to disregard the Association of National Advertisers’ request to extend the evaluation time of the FCC’s new behavioral advertising regulations. The ANA’s wish for a request for a 60-day deliberation extension is “unwarranted,” as “the public has long had notice of many of the questions the FCC would attempt to address in this proceeding,” the groups said in a letter to the FCC. “This issue is extremely important and timely. In order to protect consumers without undue delay, the FCC should decide it as quickly as possible.” [MediaPost] [Association of National Advertisers seeks extension for comments on FCC’s broadband rule]

US Legislation

US – Draft Crypto Bill Criticized as “Ludicrous, Dangerous, Technically Illiterate”

US senators have introduced legislation that would require technology companies to comply with requests from law enforcement to unlock encrypted devices. A “discussion draft” of the bill was leaked last week. It has been criticized for weakening security and hindering competitiveness. The bill requires compliance with court orders for information, and if the information is “unintelligible,” the bill requires that the information be made “intelligible.” [Wired] [SC Magazine] [CNET] [InformationWeek]

US – House Bill Would Require Verification of Identification to Purchase Pre-Paid Mobile Devices

H.R. 4886, Closing the Pre-Paid Mobile Device Security Gap Act of 2016, was introduced in the House of Representatives and referred to the Committee on Energy and Commerce. Authorized resellers of mobile devices and SIM cards would be required to collect identifying information at time of purchase and share the information with the device’s wireless carrier; failure to comply with these provisions can result civil penalties of $50 for each separate offense. [H.R4886 – To require purchasers of pre-paid mobile devices or SIM cards to provide Identification]

Workplace Privacy

CA – Secret Video Surveillance Allowed In Ontario Dismissal Case

In a preliminary award, an Ontario arbitrator allowed covert video surveillance footage to be used as evidence in a wrongful dismissal grievance. The complainant, Mr. Donnelly, was one of three elementary school custodians dismissed for allegedly smoking marijuana, adjacent to school grounds during working hours. The wrongful dismissal case between Ottawa-Carleton District School Board and Ontario Secondary School Teachers’ Federation, District 25 (Donnelly Grievance) was mediated by Arbitrator Knopf. The three dismissed custodians were reported by a fellow employee who maintained alleged marijuana use and trafficking, while at work. Following the report, the Board’s Director of Human Resources sought approval to hire a private security company to conduct covert video surveillance. The surveillance team was strictly instructed to record only illegal drug use within the vicinity of the school. Following such footage being obtained, the complainant was reprimanded and his employment terminated by the Board. In Donnelly’s defence, the union highlighted the failings of the surveillance footage in adhering to the Board’s policies and procedures. The union maintained that the security company had failed to deliver the video evidence in a secure manner, without proper documentation of the approval process. They argued the video evidence be inadmissible, as policy permitted video surveillance, only to enhance safety, protect property or identify intruders, and not to collect dismissal evidence. Furthermore, they contended such covert video surveillance should only be used as a last resort, which this was not. Privacy rights were taken into account when assessing the admissibility of the video footage, however, Arbitrator Knopf accepted the evidence in light of the management’s right to provide a safe workplace. She decided this was a last resort situation, and the former employee had a low expectation of privacy since he allegedly performed illegal drug use and trafficking in a public space, while at work, and wearing a work uniform. She said that the Board had a reasonable basis to carry out the surveillance, amid credible allegations of illegal behaviour on school grounds. [Source] See also: [Ireland CCTV images of illegal dumpers raise privacy concerns: Data Protection Commissioner contacts Dublin City Council over litter poster]

CA – Tribunal Denies Request by Employer to Submit Surreptitiously Obtained Evidence from Employee’s Social Networking Account

A Quebec labour tribunal considered an appeal of an earlier decision, including a request to consider evidence from an employee’s social networking site. The employer obtained the social networking profile content through the deceptive actions of an unknown third party, and it is not the first occasion on which the employer has done so; the employer has not demonstrated sufficient grounds to justify such an invasion of privacy (i.e. a serious purpose that would appropriately allow the employer to discover dishonest content of the employee’s Facebook page, without the employee’s knowledge). [Maison St-Patrice Inc. v. Julie Cusson – 2016 QCTAT 482 – Administrative Labour Tribunal]

CA – Best Practices: OPC Guidance on Handling Employee “Snooping”

The OPC guides entities on addressing inappropriate employee access to personal information. Organizations must set clear expectations with their employees (through clear communication concerning snooping, its harm and consequences), monitor for unauthorised access to records (audit access logs), and be prepared to respond appropriately when snooping is discovered (conduct of investigation, mitigate harm to affected individuals, and include disciplinary action). [OPC Canada – Ten Tips for Addressing Employee Snooping]

AU – New Legislation Allows Companies to Surveil Suspicious Employees

New Australian legislation allows employers to watch their employees outside of the workplace if there’s suspicion of unlawful activity tied to their job. The law covers 160,000 Canberra workers, UnionsACT Chief Alex White said. “If someone has done the wrong thing, if they are breaking the law or engaging in criminal activity, the appropriate agency to investigate that is the police, it’s not the employer or insurance company,” said White. Justice Minister Shane Rattenbury said strict safeguards are enacted to ensure workers have a right to privacy. “There are important safeguards there with the requirement for a magistrate to permit any sort of surveillance that is undertaken,” said Rattenbury. “We also worked very closely with the Human Rights Commission to make sure that these rights, these new powers, were compliant.” [Full Story]


01-08 April 2016


IN – Indian Gov’t Biometric Database at One Billion-Person Mark

India’s biometric database notched up one billion members this week, as the government sought to allay concerns about privacy breaches in the world’s biggest such scheme. India is home to 1.2 billion people. The database was set up 7 years ago to streamline benefit payments to millions of poor people as well as to cut fraud and wastage. Under the scheme, called Aadhaar, almost 93% of India’s adult population have now registered their fingerprints and iris signatures and been given a biometric ID. IT minister Ravi Shankar said the initiative had enabled millions to receive cash benefits directly rather than dealing with middlemen. He said the government had saved 150 billion rupees ($2.27 billion) on its gas subsidy scheme alone – by paying cash directly to biometric card holders instead of providing cylinders at subsidised rates. He also said all adequate safeguards were in place to ensure the personal details of card holders could not be stolen or misused by authorities given access to the database. His comments come after parliament passed legislation giving government agencies access to the database in the interests of national security. It was passed using a loophole to circumvent the opposition in parliament, where the ruling Bharatiya Janata Party (BJP) lacks a majority in the upper house. [Agence France-Presse]

JP – Fingerprints to be Tested as ‘Currency’ in Japan

Starting this summer, the Japanese government will test a system in which foreign tourists will be able to verify their identities and buy things at stores using only their fingerprints. The government hopes to increase the number of foreign tourists by using the system to prevent crime and relieve users from the necessity of carrying cash or credit cards. It aims to realize the system by the 2020 Tokyo Olympic and Paralympic Games. The experiment will have inbound tourists register their fingerprints and other data, such as credit card information, at airports and elsewhere. Tourists would then be able to conduct tax exemption procedures and make purchases after verifying their identities by placing two fingers on special devices installed at stores. The Inns and Hotels Law requires foreign tourists to show their passports when they check into ryokan inns or hotels. The government plans to substitute fingerprint authentication for that requirement. A total of 300 souvenir shops, restaurants, hotels and other establishments will participate in the experiment. They are located in areas that are popular among foreign tourists. The government plans to gradually expand the experiment by next spring, to cover areas including tourist sites in the Tohoku region and urban districts in Nagoya. It hopes to realize the system throughout the country, including Tokyo, by 2020. [Source]


CA – CSE and CSIS Looking to Work Together, Say Top Secret Documents

Canada’s top two intelligence agencies looking for new ways to work together, while review bodies remain in silos. The heavily censored documents were sent by CSE chief Greta Bossenmaier and CSIS director Michel Coulombe to Richard Fadden, the national security adviser to the prime minister, in August 2015. Fadden was both a former director of CSIS and the former top bureaucrat at National Defence, which is responsible for CSE. Bossenmaier and Coulombe suggest the two agencies are trying to “leverage (CSE’s) Mandate C authorities,” and set up a working group to “maximize opportunities for operational collaboration.” That could spell trouble for the small group of independent watchdogs reviewing the spy agencies’ activities. Both Security Intelligence Review Committee and the CSE Commissioner’s office can review their respective agencies but can’t conduct joint investigations or see the big picture. [The Star]

CA – Liberals Postpone Full Access-to-Information Reform to 2018

The Liberal government says a full review of the outdated Access to Information Act will have to wait another two years. A comprehensive examination of the access law will begin in 2018, Treasury Board President Scott Brison said. Meantime, the government plans to introduce legislation as soon as this year with quick fixes to the law, based on promises the Liberals made during the election campaign and consultations already under way. The promised changes include giving the information commissioner the power to order government records to be released and ensuring the access law applies to the offices of the prime minister, his cabinet members and administrative institutions that support Parliament and the courts. A Commons committee recently began a study of the Access to Information Act, which has not been substantially updated since it took effect almost 33 years ago. In addition, the government began a public consultation on transparency on Tuesday. People can go to to offer their views on what should be in the next federal strategy on open government. Officials will also hold in-person discussions across the country and the resulting plan is to be released this summer. [Source] See also: [Canadian officials requested to meet with Information Commissioner Suzanne Legault in order to find “a mutually satisfactory resolution” to a constitutional challenge to a law that protected Mounties after they destroyed data]


US – FCC Exploring Supercookie Ban in Verizon Case

As part of the FCC’s proposal to require ISPs to gain consent before tracking consumers’ online behavior for ad purposes, it is also considering banning certain tracking technologies. The FCC is seeking comment on “whether the use of persistent tracking technologies may expose … customers to unique privacy harms and as such, whether the Commission should prohibit (Internet service) providers from employing such practices.” More specifically, it would like to know whether the technologies should require some form of customer consent, and whether the technology, or banning it, has benefits for consumers. [Full Story]

EU – Group of 75 Consumer Orgs Comes Out Against Shield

Trans Atlantic Consumer Dialogue, a collection of 75 consumer-rights groups based in the U.S. and Europe, issued a statement today urging the European Commission “not to adopt the Privacy Shield.” The group criticized the potential adequacy agreement for being a “self-declared, self-regulatory system, which will be adhered to by a limited number of companies” and said the U.S., because it lacks a “robust” privacy framework, cannot guarantee an essentially equivalent level of protection for personal information of European citizens. TACD also urged the Commission to hold off on signing the EU-U.S. Umbrella Agreement for the sharing of data between law-enforcement agencies and to “prompt those Member States engaging in mass surveillance of individuals to put an end to such practices.” [Full Story]


CA – CRTC Enters into MOU with FTC on Spam & DnC

On March 24, 2016, the CRTC signed a memorandum of understanding with the US FTC. The MOU is an effort by Canada and the US to work together on anti-spam enforcement measures, and expressly refers to unsolicited telecommunications, unsolicited commercial electronic messages (spam), and other unlawful electronic threats (e.g., malware and botnets). The MOU will allow the Participants to facilitate research and education related to unauthorized communications. Both Commissions also plan to share knowledge and expertise through training programs and staff exchanges, and to inform each other of developments related to the laws, among other activities. [Source]

US – FBI: $2.3 Billion Lost to CEO Email Scams

The U.S. FBI this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years. In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270% increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries. The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars. [Krebs]


WW – WhatsApp Just Switched on Encryption for a Billion People

WhatsApp, an online messaging service now owned by tech giant Facebook, has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. And today, the enigmatic founders of WhatsApp revealed that the company has added end-to-end encryption to every form of communication on its service. This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices. [WIRED] See also: [Public Safety, RCMP saying little about WhatsApp encryption]

EU Developments

EU – Deal with EU, Canada to Share Air Travellers’ Data Raises Privacy Fears

An agreement between the EU and Canada to share airline passenger data that they say is key to fighting terrorism drew tough scrutiny at an EU court hearing last week because of privacy concerns. The dispute over the retention and sharing of passenger name records (PNR) has become a shibboleth in Brussels for the debate over balancing people’s privacy with the need to protect against terrorism. The agreement with Canada foresees the retention and sharing with Canadian authorities of airline passenger data by carriers operating flights between the EU and Canada. The Luxembourg-based Court of Justice of the European Union (ECJ) heard arguments for and against the agreement at a six-hour proceeding. Islamist militant attacks in Paris last year and last month’s attacks in Brussels have stoked calls for law enforcement agencies to have easier access to people’s data. Ireland, France, Britain, Spain and Estonia, who intervened in the case, emphasized that PNR do not allow investigators to paint a detailed picture of someone’s private life. But the European Parliament and privacy advocates cast doubt on that assertion. [Reuters]

EU – Other News

Facts & Stats

WW – 2016 Data Security Incident Response Report

BakerHostetler has yet again compiled a year’s worth of breach response data into a compact report that analyzes trends in data breach response, released this year to coincide with the Global Privacy Summit. “Is Your Organization Compromise Ready?” documents lessons learned from more than 300 security incidents in 2015. Some of the major findings? Nearly a quarter of all breaches happened in the healthcare industry. It takes an average of 69 days from occurrence of a breach to its discovery, and an average of 40 days from discovery to notification. And nearly a quarter of incidents led to regulatory investigations or inquiries. [Read More]


WW – Panama Document Leak Exposes Global Corruption, Secrets of the Rich

The financial secrets of heads of state, athletes, billionaires and drug lords have been exposed in the latest — and biggest ever — leak of records from an offshore tax haven. The leak includes 11.5 million confidential documents shedding light on the assets and murky fiscal dealings of everyone from the prime ministers of Iceland and Pakistan to soccer player Leo Messi, movie star Jackie Chan and associates of Russian President Vladimir Putin. The records, dating as far back as 1977, come from a little-known but highly influential Panama-based law firm called Mossack Fonseca, which has 500 staff working in 40-plus countries. The firm is one of the world’s top creators of shell companies — corporate structures that can be used to hide ownership of assets. German newspaper Süddeutsche Zeitung obtained the files from a source and shared them with global media partners, including CBC News and the Toronto Star, through the Washington-based International Consortium of Investigative Journalists. The release of the leaked documents may prompt governments to seek “concrete sanctions” against jurisdictions and institutions that peddle offshore secrecy. [CBC] News

US – NAIC Seeks Feedback for Insurance Data Security Law

A cybersecurity task force of the National Association of Insurance Commissioners (NAIC) has proposed a new insurance data security model law. The initiative, introduced last month, establishes new standards for data security, breach responses and the roles of the regulator, the organization says. “Because insurance is a data-driven industry, regulators must understand what data is being collected and for what purpose,” the NAIC said. “Today, regulators and companies have a need for data beyond what has been traditionally collected. But what regulators need is greater insight, not just more data.” Early responses to the proposed law have been mixed, with other associations raising concerns about the law’s suggestion that insurance regulations be allowed to vary by state and variations in response allowed for jurisdictional commissioners. After several high-profile hacks in 2015, the insurance industry and its regulators still are learning about the hackers aggressively hunting customer’s personally identifiable information (PII) data, financial records and medical histories. [Source] [See Graphic] See also: [state data security breach notification laws] and also: [Cyber insurance underwriters may want to consider less “absolute” questionnaires: ICRMC speaker]

US – Cyber Insurance Rates Drop

The rates for cyber insurance for organizations usually deemed to be high risk, such as retailers and healthcare organizations, fell during the first three months of 2016 because of a drop in high-profile breaches. The average price for US $1 millions in insurance fell to US $18,756. Last year, in the wake of high profile breaches like those at Target and Home Depot, the average premium was as high as US $21,642. [Reuters]


CA – NL Teachers Going to Court to Fight Sunshine List Disclosure

The Newfoundland and Labrador Teachers’ Association (NLTA) plans to go to court to block the release of the names of about 300 people who earn more than $100,000 working in the province’s school system. NLTA president Jim Dinn said that when he became aware of an access to information request seeking the names and salaries of teachers, he “immediately” knew the association had to fight it. Dinn said he believes releasing the list of teachers, principals and other educators earning more than $100,000 would be an undue invasion of privacy. Last year, as part of the Progressive Conservative government’s push for greater government openness and transparency, then-minister Steve Kent committed to creating a so-called “sunshine list” that would include the names, positions and remuneration of all government employees earning more than $100,000. The project was never completed because the Tories were tossed from government by voters in the November election. Since they took power, the new Liberal government has been indecisive on whether to follow through. In the meantime, The Telegram filed a suite of access to information requests in an attempt to create an ad hoc sunshine list. Several public bodies — including Memorial University, the core civil service, Nalcor Energy and the Royal Newfoundland Constabulary — have provided the requested information, and that data will be posted online by The Telegram this week. However, the province’s four regional health authorities and the English School District have declined to provide employees’ names. Those five public bodies said they would first inform their employees about the potential disclosure, and if anybody objected, the matter would be sent to the Office of the Information and Privacy Commissioner, or to the courts, for a ruling. [Source]

CA – NL Salary Disclosures OK Under New Access Law, Watchdog Says

Newfoundland and Labrador’s information and privacy commissioner says the new transparency law that replaced Bill 29 permits the public release of salary details of employees of public bodies. “It is our view that such a disclosure is in compliance with the law,” Ed Ring said in a press release issued Monday afternoon. Ring noted that a number of public bodies have already released that information in response to open-records requests. But he said others “have been uncertain in their interpretation of the law,” and have notified affected employees before releasing the information. Ring noted that a panel led by former premier and judge, Clyde Wells, that reviewed access-to-information laws found that disclosure of salary details is not an unreasonable invasion of privacy, and therefore cannot be withheld by a public body. “It is the interpretation of this office that this means that names of public body employees and their salaries are to be disclosed to an access-to-information applicant upon request,” Ring noted. “This type of disclosure is not unusual in Canada, and for example, has been done for many years under different legislation in Ontario.” [Source]

US – The FBI Says a Piece of Code Broke Its FOIA System

In February, activist Michael Best took a novel approach to filing a mass of Freedom of Information Act requests at once: he wrote a script to automatically ask for the files of just under 7,000 dead FBI officials. The FBI has replied, and it is not happy. The agency decided to not accept any of Best’s related requests, and may have also blocked or otherwise filtered further emails sent to the agency’s FOIA department by him. The episode shows that the way FOIAs are processed is very much an antiquated practice, and that perhaps US government agencies should think of new ways to handle requests. “The FBI email portal is designed to provide a convenient, alternative means to all Freedom of Information Act (FOIA) and Privacy Act (PA) requestors [sic] to make requests for FBI records,” a letter from David M. Hardy with the FBI’s Records Management Division to Best, dated March 30, 2016, reads. “On February 29, 2016, the FBI received an exceedingly high volume of submissions from you via the FBI email portal which had been generated by script [sic] using a list of names. This matter of submission interfered with the FBI’s ability to perform its FOIA and PA statutory responsibilities as an agency. Accordingly, the FBI did not accept these submissions on February 29, 2016, via the FBI FOIA email portal,” it continues. Best’s script was simple enough: It took names of special agents and other FBI officials collated from the agency’s own “Dead List,” a list of people the FBI knows to be deceased, and placed each into a request template. The request was for records held concerning the subjects, which can be released after the person is deceased. (For what it’s worth, Best says he didn’t submit his requests via the “email portal” as the FBI’s letter states, but just sent them to the normal FBI FOIA email address.) “I think the letter’s vagueness is counterproductive,” Best told Motherboard in a Twitter message. “’The manner of submission’ could mean almost anything. The volume of requests, or using the script? If it’s the former, I’ve never heard of an agency discarding FOIA requests because there were too many, and if it’s the latter I don’t see how the locally run script would have created a problem.” The requests weren’t even “rejected,” at least in the traditional FOIA context. Requests can be rejected if they are determined to be too burdensome on the agency. But that’s not what happened here—the FBI didn’t even accept the requests in the first place. [Source]

CA – Residential School Abuse Stories Must Be Shredded After 15 Years: Court

Survivors of Canada’s notorious residential school system have the right to see their stories archived if they wish, but their accounts must otherwise be destroyed in 15 years, Ontario’s top court ruled in a split decision last week. At issue are documents related to compensation claims made by as many as 30,000 survivors of Indian residential schools — many heart-rending accounts of sexual, physical and psychological abuse. Compensation claimants never surrendered control of their stories, the Appeal Court said. “Residential school survivors are free to disclose their own experiences, despite any claims that others may make with respect to confidentiality and privacy,” the court said. The court rejected the idea the documents were “government records” but said the material fell under the court’s control. [Source]

US – ESPN Argues Athlete’s Medical Records Matter of Public Concern

Cable sports network ESPN has filed court papers arguing that journalists are entitled to provide the public with visual evidence to corroborate reports, even in cases involving the athlete’s medical records. Last summer, Jason Pierre-Paul, a player in the NFL, blew part of his hand off in a fireworks accident. Reporter Adam Schefter tweeted a picture of Pierre-Paul’s medical record as proof. The football player has sued ESPN, arguing his privacy was violated. The media outlet argues Pierre-Paul’s claims “cannot succeed where, as here, the subject-matter of a news report is a matter of public concern.” [Hollywood Reporter]

CA – Judges Reject Media Ban in Two Assisted-Death Cases

Canadian judges have refused to bar the media from assisted-death cases for the first time. Judges in Ontario and British Columbia both rejected requests to ban the media from the hearings, breaking precedent set in Canada’s first application for an assisted death in late February. While the judges in the two cases understand the request for privacy by the two clients, the cases are “uniquely significant,” and blocking the media would harm the “open court principle,” said Chief Justice Christopher Hinkson of the British Columbia Supreme Court. “Conducting these proceedings in camera would effectively prevent the public from having any information about the case, other than what is volunteered by the parties or provided by the court in its reasons for judgment,” Hinkson said. [The Globe and Mail]

Health / Medical

CA – BC Arbitration Board Rules Nurse Must Be Reinstated Despite Multiple Incidents of Patient Data Snooping

The BC Nurses Union brought a grievance on behalf of a member who was terminated by her employer, the Vancouver Coastal Health Authority, for improperly viewing patient medical records. An arbitrator determined that termination was an excessive response and orders the nurse reinstated, with seniority, but without back pay or benefits; none of the information accessed was disclosed, and the nurse had realized the seriousness of the unauthorized access (she has been out of work a long time and had taken courses to educate herself on the issue). [Vancouver Coastal Health Authority (Olive Devaud Residence) v. British Columbia Nurses Union – 2016 CanLII 11873 (BC LA) – Labour Relations Board]

Horror Stories

PH – Philippines Breach Largest In Government History?

Sensitive information of nearly 55 million Philippine voters has been exposed in possibly the biggest government-related data breach in history. Security researchers believe the entire database of the Philippines’ Commission on Elections has been exposed following a cyberattack compromising the organization’s website by Anonymous Philippines, after which LulzSec Pilipinas, a second hacker group, posted the complete COMELEC database online. The data dump included information such as fingerprints and passport information, although COMELEC officials claim no sensitive information was accessed. Officials also said the national elections being held 9 May will not be affected by the attacks, as the election-related systems will be held on a separate site. During the initial attack, Anonymous Philippines warned COMELEC it should strengthen the security of the voting systems. [The Register]

TU – Nearly 50M national IDs, PII of Turkish citizens leaked online

The national IDs and other personal information of nearly 50 million Turkish citizens — more than half the country’s population — was leaked on a website hosted in Romania. The other personal information included in the data leak included full name and parents’ names of citizens, address and date of birth. Victims of the data breach also include the current president of Turkey, Recep Tayyip Erdoğan and the previous president, Abdullah Gül as well as current Prime Minister Ahmet Davutoğlu. The site features a “lessons to learn” portion that hints on how the data was stolen, and mentions lack of encryption and poor database security. [The Guardian]

CA – Breach at Alberta’s Maintenance Enforcement Program?

An Alberta government employee is under investigation after Edmonton police discovered as many as 60 sensitive files in the province’s maintenance enforcement program may have been accessed inappropriately. The alleged privacy breach was discovered during a larger police investigation, Justice Minister Kathleen Ganley said. The enforcement program collects and enforces court-ordered child and spousal support payments, meaning the files contained financial information and other personal details. “Obviously, we’re deeply concerned because this is the private information of individuals who have come into the program — sometimes very vulnerable individuals,” Ganley said. The employee in question is under investigation by both Edmonton police and Justice Department officials. The employee still has a job with the government, but no longer has access to the client database. “To the best of our knowledge, there is only one individual involved,” she said. [Edmonton Journal]

Identity Issues

CA – Price of Stolen Canadian Identity Plummets On Black Market

The price of a stolen Canadian identity has dropped by half in the space of a few years, says a new report from tech firm Dell. A set of Canadian “fullz” — the basic data needed to steal someone’s identity — now trades for around US$20 on the global market, down from a range of $35 to $45 in 2014, Dell Secureworks said in its latest Underground Hacker Marketplace Report. A set of “fullz” includes a person’s name, date of birth, an identifying government ID like a Social Insurance Number or driver’s licence and some form of financial data, like credit card or bank account numbers. Physical documents are more expensive, with passports going in the thousands of dollars. Fake Canadian passports can run upwards of US$2,600, more than U.S. passports though not as much as those of some European countries. A Canadian SIN card “was observed being sold by cybercriminals out of China for approximately $173,” the report said. The cheaper prices may have to do with a growing supply of stolen identities. The Insurance Bureau of Canada reported last month that there has been an increase in identity theft in Canada in recent years. The Canadian Anti-Fraud Centre said 17,000 Canadians reported being victimized by identity theft in 2015, and losses topped $10.7 million. But the centre warned that, more often than not, identity theft goes unreported. [HuffPost]

US – ONC, NIST Partner on Federated Identity and Health Data Privacy

The National Institute of Standards and Technology is putting up $1 million to find a new approach for patients and providers to access health records in a joint endeavor with the Office of the National Coordinator (ONC) for Health IT. Instead of piling up individual accounts for each provider a patient sees – dentist, specialist, primary care, in the doctor’s office or in the hospital – NIST and ONC are looking for ways to streamline the entire process by enabling a single credential across multiple providers. “For providers, making strides in the efficiency of accessing medical records means time and money saved – and, if done right, better outcomes for security and privacy – what NIST calls a “Federated Identity.’” NIST deputy director Michael Garcia wrote announcing the pilot. ONC, for its part, will participate in the review of applications and also provide technical support regarding implementation and operation of the pilot. “The goal is for hospital systems to work with other regional health systems and provider groups on developing and using a federated identity system,” Garcia explained. “The identity solution must be: privacy enhancing and voluntary; secure and resilient; interoperable; cost effective and easy to use.” NIST said it will fund one award between $750,000 and $1 million for eighteen months Applications can be submitted at until the June 1, 2016 deadline. [Source]

Internet / WWW

WW – Countries that Use Tor Most Are Highly Repressive or Highly Liberal

You might assume that people in the most oppressive regimes wouldn’t use the Tor anonymity network because of severe restrictions on technology or communication. On the other hand, you might think that people in the most liberal settings would have no immediate need for Tor. A new paper shows that Tor usage is in fact highest at both these tips of the political spectrum, peaking in the most oppressed and the most free countries around the world. Eric Jardine, research fellow at the Centre for International Governance Innovation (CIGI), a Canadian think-tank, is the author of the new paper, recently published in peer-reviewed journal New Media & Society. Jardine analysed data from 157 countries, stretching from 2011 to 2013. That information included a rating for a country’s political repression, derived from assessments made by US-based research group Freedom House, and metrics for Tor usage, sourced from the Tor Project’s own figures. Jardine included data for use of both Tor relays, which are nodes of the network users typically route their traffic through, and bridges, which are essentially non-public relays designed to be used in censorship-heavy countries that might block access to normal relays. He also considered a country’s internet penetration rate, intellectual property rights regime, wealth, secondary education levels, and openness to foreign influences. “The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network,” Jardine writes. [Source]

WW – The Art of Privacy

Artist Trevor Paglen has exhibited a sculpture called the Autonomy Cube at museums around the world. The sculpture houses a custom wi-fi router. Museum visitors who connect to it will have their data redirected through the Tor network. The router also serves as a Tor relay. Paglen aims to install Autonomy Cubes in any museum that will pay for their creation. [Wired]

WW – Android Messaging Apps Leaking Data Through ‘Surreptitious Sharing’

German researchers have found a serious flaw in the way many popular Android email and messaging apps – including Skype and even secure systems like Telegram and Signal – share documents, images and videos. Dominik Schürmann and Lars Wolf from Braunschweig University of Technology say the bug, dubbed ‘Surreptitious Sharing’, allows attackers to capture data including passwords, private keys and message histories. They tested 12 popular email and messaging apps and found eight were exploitable. As a result, they said, the flaw is “definitely present in many more apps”. The affected messaging apps are Skype, Threema, Telegram and Signal. The vulnerable email apps are Google’s Gmail and AOSP Mail, K-9 Mail and WEB.DE. Four messaging apps were found to be safe – WhatsApp, Hangouts, Facebook Messenger and Snapchat. The bug lies in the main ‘Intent’ file-sharing API that Android apps use. This allows an attacker to access the receiving app’s private files. Worryingly, even privacy-focused messaging apps were “easily exploitable”, the researchers said. [Source]

Law Enforcement

US – Maryland Appeals Court Upholds Lower Court Stingray Ruling

An appeals court in Maryland recently ruled that police should not have used a stingray cell site simulator device without a warrant. The state had argued that by turning on cell phones, people were consenting to being tracked. The ruling upholds a lower court decision to suppress information gathered with the stingray. It also addresses the obfuscation police used in obtaining a warrant to use the stingray, writing, “A non-disclosure agreement that prevents law enforcement from providing details sufficient to assure the court that a novel method of conducting a search is a reasonable intrusion made in a proper manner and ‘justified by circumstances,” obstructs the court’s ability to make the necessary constitutional appraisal.” [Wired] See also: [Stingray ruling could challenge hundreds of Baltimore convictions]

CA – Canadian Police Forces Moving Towards Costly Body Cameras

Some Canadian cities and police forces already wrestling with cash-flow shortages are moving toward outfitting officers with body cameras despite privacy concerns and scant consensus on the technology’s cost-effectiveness. Body camera programs aren’t cheap, according to multiple forces across the country, and would require hiring more personnel to deal with the hundreds and thousands of hours of footage. Storage costs alone can run in the millions of dollars. Nonetheless, proponents say the cameras provide better evidence, lead to more convictions, improve officers’ interactions with the public and reduce police use-of-force incidents. Others, however, argue the videos invade the privacy of citizens, and worry that administrative duties related to body cameras will keep officers away from policing. [CTV News]


UK – 93% of Mobile Users Have Their Location Tracked Every Day

A new campaign by privacy-focused advocacy group Krowdthink aims to raise aware of the privacy implication of owning a mobile phone in the UK. The ‘Opt Me Out Of Location’ campaign aims to highlight the fact that nearly every single mobile phone owner in the UK (93%) has unwittingly signed up for a contract that permits their location to be tracked. More than this, the data collected allows providers to build up highly detailed customer profiles which Krowdthink warns leaves millions of users just one serious data breach away from having private data exposed to and abused by criminals. Research by Krowdthink says that while most mobile users are suspicious of apps that make use of GPS, few people think about the fact that their location is highly trackable when they connect to wifi hotspots or cell towers. [Source]

Online Privacy

US – Judge Approves Sony Hack Settlement

U.S. District Judge R. Gary Klausner ruled in favor of the estimated 437,000 employees affected by the 2014 Sony hack, approving the settlement that would provide them identity theft protection through 2017. Klausner said the three years of credit monitoring is longer than granted in other class actions, the report states. Sony further agreed to “an optional service that will cover up to $1 million in losses,” with more specific figures relating to the monetary settlement forthcoming. [The Associated Press]

Other Jurisdictions

WW – Nymity and IAPP Announce New Privacy Management Tool

The IAPP and Nymity have announced the Nymity Privacy Management Workbook and supporting materials. Terry McQuay, Nymity’s President stated, “The Privacy Management Workbook is an unlocked Microsoft Excel Spreadsheet that can be used as is, or customized to meet a specific privacy officer’s needs. The Privacy Management Workbook is accompanied with the “Getting Started Manual”, that provides an operationalized approach to privacy management accountability and step by step instructions on how to use the Workbook. For organizations with mature privacy management embedded throughout the organization, there is a second manual called the “Demonstrating Compliance Manual”. This manual outlines an accountability approach to demonstrating compliance with privacy laws that is empowered by the documentation that was collected using the Privacy Management Workbook. [Privacy Management Workbook and the supporting materials]. [Source]

AU – Census Plan “A Massive Invasion of Privacy” Says EFA

Plans to retain people’s names and addresses for this year’s Census have sparked fear that the information could be used by Centrelink, the Tax Office and ASIO and may lead to mass civil disobedience or people lying on their forms, privacy groups believe. The Australian Bureau of Statistics (ABS), which has been around since 1905, conducts a Census every five years. While this has always involved collecting names and addresses, the difference is that this time it wants to hold on to all of this information. The Agency has said it wants to be able to combine Census data with other datasets, such as health and education statistics, to get a “richer and dynamic statistical picture of Australia.” Statisticians argue this could provide insights into many areas, for example, the employment outcomes of different educational programs or designing mental health services, and result in better service planning and delivery. Keeping names and addresses would also make surveys more efficient and reduce the cost and burden on Australian households, said the ABS. But Jon Lawrence from the Electronic Frontiers Australia said retaining such information was unwarranted and intrusive and “an exceptionally bad idea.” “At its very essence, it’s a massive invasion of the privacy of every Australian,” Mr Lawrence said. [Source] See also: [Benefits of the census retaining names and addresses should outweigh privacy fears]

Privacy (US)

US – FTC Releases Agency’s 2015 Annual Highlights Report

FTC Chairwoman Edith Ramirez released the FTC’s 2015 Annual Policy Highlights. The topics covered in the report include the FTC’s noteworthy legal actions in a variety of industries, including health care, technology and other consumer products and services. The report touches upon the FTC’s work to bring actions against technology companies to ensure the protection of consumers’ personal info, including settling a charge with Oracle over the safety provisions in updates to its Java platform. Also touched upon in Ramirez’s report was cross-device tracking, and educating consumers on fraud and deceptive business practices, including, a website to help people report and recover from identity theft. [FTC Press Release]

US – FTC Fines Organisation $79,659,262 for Payment Fraud Scheme

The FTC is granted an order against Ideal Financial Solutions Inc. for participating in violations of the Federal Trade Commission Act. The company and its subsidiaries are permanently restrained from selling, transferring, or otherwise disclosing a consumer’s personal information to any third party without consent, and misrepresenting that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v Ideal Financial Solutions Inc. – USDC for the District of Nevada]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

US – FTC Releases Web Tool for Mobile Health App Developers

The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply. The interactive developer tool presents users with questions that include topics such as:

  • the type of information the app will create, receive, maintain, and transmit
  • the type of entity creating the app (or on whose behalf the app is created)
  • the purposes of the app
  • the information the app will provide to consumers and/or patients

The answer to each question points the user to the laws and regulations that may likely apply to the app. The tool also directs users to definitions for common regulatory terms, links, tips and guidance regarding compliance, and other federal agency resources. In conjunction with the release of the developer tool, the FTC also released its own guidance aimed at developer compliance with the FTC Act. This guidance follows the release of OCR’s Health App Use Scenarios & HIPAA guidance and discussion portal and FDA Mobile Medical Applications guidance. Together, these agency releases reflect efforts to provide guidance that will help provide clarity to the growing mobile health app ecosystem.

US – DHS Unveils Privacy Guidelines for Mobile Apps

The U.S. Department of Homeland Security has issued a set of privacy rules for mobile applications developed for the agency. The guidelines include a privacy policy requirement as well as a rule that program managers notify a privacy official and the chief information officer prior to an app’s development. App developers must pass their apps through a DHS “Carwash,” a system that scans the app’s code, which are then reviewed by DHS Chief Privacy Officer Karen Neuman. The guidelines also lay out what kinds of personal information can be processed and require that user information in transit must be encrypted and “immediately transferred to a protected internal DHS system that is compliant with existing DHS IT security policy.” [FCW]

US – Market Surges For Outside Privacy Counsel

A significant portion of corporations—76%—employ outside counsel for privacy and data security matters, according to a Bloomberg Law/IAPP survey study on “The Market for Data Privacy Legal Services.” And that demand is growing. The survey report concluded that:

  • A dedicated privacy team and subject matter experience are the most important qualities—along with basic care and feeding of clients—that companies look for in hiring outside counsel.
  • On average corporations spend nearly $170,000 annually on outside counsel handling privacy and data protection matters.
  • Outside privacy attorneys command high hourly rates, an average of $474 for transactional services, $539 for litigation and $623 for specialized privacy and data protection services.

The survey found that privacy pros in companies generally don’t hire outside counsel for operational tasks, such as PIAs and privacy by design application. But at the same time, significant opportunities for lawyers to expand their revenue may be in advising companies on privacy by design/privacy engineering initiatives, the report said. [BNA] See also: [UK and European firms invest in data protection ahead of GDPR]


WW – A Lot Will Plug a Random USB into Their Computer: Study

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year. As it turns out, it really works. In a new study, the researchers estimate that at least 48% of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98%) were picked up or moved from their original drop location. Very few people said they were concerned about their security. 68% of people said they took no precautions, according to the study. Some 135 people actually opened some files in the drives, according to the study. The researchers didn’t put any malware on the sticks, but had left an HTML file that contained an image allowing the researchers to detect when a file was opened. The HTML file also contained a survey, which had the goal of informing unbeknownst students and faculty that they had become part of an experiment, and trying to figure out why they had picked up the drive and opened files inside. Based on the participants’ survey answers, the researchers concluded that most people did it with “altruistic intentions.” In fact, 68% people said they did it to find the owners, while 18% admitted it was just out of curiosity. However, considering their actions, it seems some overestimated their good intentions. Despite the fact that some USB drives contained a resume file, almost half the users didn’t open that file, and, instead browsed vacation photos first, “overtaken by curiosity,” as the researchers put it. [Source]

US – US, Canada Issue National Alerts on Ransomware

The United States Computer Emergency Readiness Team within the Department of Homeland Security and the Canadian Cyber Incident Response Centre have jointly issued a special alert for both nations on the threat of ransomware and recent variants of the virus. The alert highlights the threat to the healthcare industry in the U.S. and worldwide, as well as threats to other businesses and individuals, outlining important steps to help organizations from falling victim to a ransomware attack, and guidelines for responding in incidents in which an organization is fending off ransom demands. The alert takes a hard line on whether organizations should pay to unlock information or computers, suggesting that there is no guarantee that paying a ransom will result in the release of information. Over the last few weeks, about a half dozen ransomware incidents have been reported among U.S. and Canadian hospitals, and in most cases, the organizations have been able to work around the attacks without paying a ransom. In February, Hollywood Presbyterian Medical Center reported that it paid the equivalent of $17,000 to unlock its information after a ransomware attack crippled the facility’s systems for about a week. The federal alert warns that ransomware is being spread via phishing tactics, as well as through “drive-by downloading,” which occurs when a user unknowingly visits an infected web site and malware is downloaded to the computer. [Source] See also; [Ransomware Threat Hits Critical Mass] and [Should Ransomware Attacks Be Considered Breaches? ]

US – Federal Agencies and Ransomware: Statistics

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security. Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [CBC: Ransomware Hits Another (Ontario) Hospital] [SC Magazine]

Smart Cars / IoT

US – NTIA Commences Internet of Things Proceedings

On April 5, 2016, the National Telecommunications and Information Administration (NTIA) initiated an inquiry to review the potential benefits and challenges presented by the Internet of Things (IoT). In its Notice and request for public comment (RFC), NTIA is seeking input on the current IoT technological and policy landscape with a goal of developing recommendations—in the form of a Green Paper—as to whether and how the federal government should play a role in fostering the advancement of IoT technologies. Comments are due on or before May 23, 2016; parties across industry sectors are encouraged to comment. The inquiry is part of the Department of Commerce’s Digital Economy Agenda through which the agency seeks to help develop a free and open Internet and innovation in the digital economy while promoting privacy, security, and broad access. [Source]

WW – IoT Privacy a Concern for 62% Globally, More in U.S.

A newly released study of 5,200 “mobile media users” in Brazil, China, France, Germany, India, South Africa, the U.K., and the U.S. has found 62% of respondents “concerned” about privacy and the Internet of Things. That number rises to 70% in the United States. According to the Mobile Ecosystems Forum, privacy outstrips security (54%), and is a far bigger concern than physical safety (27%) or “machines taking over the Earth” (21%). Which connected devices are most concerning? Respondents answered with their home security as most concerning (30%) followed by their car (12%) and television (10%). [MediaPost]

US – OTA Principles for IoT Privacy and Security Programs

15 months after forming an Internet of Things (IoT) working group, on March 2, 2016, the Online Trust Alliance (OTA) released a final version of its IoT Framework along with a companion Resource Guide that provides explanations and additional resources. The voluntary Framework sets forth thirty suggested guidelines that provide criteria for designing privacy, security, and sustainability into connected devices. The creation of the OTA IoT principles represents a potential starting point for achieving privacy- and security-protective innovation for IoT devices. For now, the Framework focuses on wearable technology and connected home devices. In so doing, it avoids addressing some of the more challenging transparency and consent issues presented by devices lacking a direct buyer-seller relationship, such as those that arise in the retail or infrastructure context. The Framework also excludes connected medical devices and the associated potential life-or-death implications of medical technologies. Though purely voluntary and non-binding, the Framework differentiates between what it posits as “required” and “recommended” guidelines, thereby allowing for a broader consensus in a dynamic environment with many unresolved questions. Certain guidelines will likely be familiar to consumers—such as multi-factor verification for resetting credentials, and user notification after a password change. Other guidelines are particularly tailored to the IoT space—such as disclosure of the duration of patch support, and notice when a device initially pairs with a network. Themes of the Framework include guidelines designed to achieve the following:

CA – Allstate to Offer Albertans Usage-Based Auto-Insurance

A new Alberta insurance program could see motorists save money if they’re willing to install a device that monitors their habits behind the wheel. Allstate is the first company in the province to offer usage-based insurance, which uses technology to collect data on how a vehicle is driven and offer discounts for safe drivers. “It’s a little box you plug in under the steering wheel, and it sends out information,” Edmonton north agency manager Amanda Sawatzky said. “We take the measurements of the data over six months because that’s going to tell us over time what your driving habits are.” The company will check the frequency of hard braking, the time of day customers drive — accidents are more common between 11 p.m. and five a.m. — total kilometres covered and travelling at more than 125 km/h. The information comes from the vehicle’s diagnostic system and is sent out electronically. Drivers can log in to a website and monitor the results. “Hopefully, as you see a hard braking or speed incident, you’re more aware of it and it leads to safer driving habits,” Sawatzky said. After six months, the equipment will be removed and Allstate will offer participants premium discounts of up to 30%, depending on how well they did. Even if they do badly, their premiums won’t rise. Any discount remains as long as they own the vehicle. “It’s empowering drivers and there’s no downside to it. The safer you drive, the more you can save.” It’s unlikely someone will change how they drive for six months, then revert to bad habits once the monitor is out, she said. People who want to see whether they should sign up will receive a 5% premium cut for a year for using a test app. [Edmonton Journal]


US – New Hampshire Bill Regulates Government and Citizen Use of Drones

Last month lawmakers in the New Hampshire House of Representatives passed a bill regulating government and citizen use of drones. The bill includes strong privacy protections that address some of the most common concerns associated with police using flying robots. The legislation is the latest example of local lawmakers improving upon decades-old Supreme Court precedent amid rapidly changing technology. In a world where drones with cameras are well within many law enforcement budgets it is reasonable to ask when police can fly a drone over your backyard. It’s understandable if you think that you have a reasonable expectation of privacy in your backyard, but the fact is that the Supreme Court ruled in two cases from the 1980s (Florida v. Riley and California v. Ciraolo) that you don’t. In both cases justices on the Court held that observations from the air are analogous to observations from public roads. [Forbes] See Also: [FAA committee writing rules permitting small drones over crowds]

US – NTIA Postpones Drone Privacy Meeting

The National Telecommunications & Information Administration has postponed an April 8 multistakeholder meeting on drone privacy, saying some stakeholders said that work on a revised draft of voluntary drone privacy guidelines would not be ready to circulate to the full group until April 22. The meeting will be rescheduled for early May, according to John Verdi, NTIA’s director of privacy initiatives, in a note to stakeholders. The effort is among a number sets of best practices NTIA is trying to help industry and civil society representatives agree on to enforce the Obama administration’s privacy bill of rights. Others include on apps and facial recognition. It has been a year since NTIA sought comment on “privacy, accountability, and transparency issues” surrounding the use of unmanned aircraft systems (UAS), which are being increasingly used in TV news and film production. Those studios told NTIA they do not think there need to be any privacy guidelines for their use in such productions since they are either used on closed sets, or where they are not collecting information from the public. Back in November, major broadcast and print news operations and others in the News Media Coalition (NMC) asked NTIA to make sure it does not limit their First Amendment rights in its ongoing effort to come up with privacy guidelines for the new wave of UAS. [Source]

Telecom / TV

US – Federal Judge Says No Expectation of Privacy in Cell Site Location

In the Seventh Circuit — where there’s currently no Appeals Court precedent on cell site location info (CSLI) — federal judge Pamela Pepper has decided only about half of what other courts have said about this info’s expectation of privacy applies. That would be the half that finds the Third Party Doctrine covers cell phones’ constant connections to cell towers. (via Three circuits (4th, 5th and 11th) have ruled on whether obtaining CSLI from providers constitutes a search or seizure under the Fourth Amendment. Only the Fourth found that this information deserved greater privacy protections, mainly because of the ubiquitousness of cell phones. The other two held that CSLI is just another business record, even if it is the sort of business record that generates a detailed history of someone’s movements and can be used to track someone in near real-time. The Supreme Court also had something to say about the long-term tracking of people’s movements in its decision about GPS tracking devices. While not exactly the same thing, it was close, and the court here examines this decision as well. The government suggested long-term location tracking might have enough Fourth Amendment implications to justify a warrant requirement, but stopped short of making that call. With these non-precedents in hand, Judge Pepper finds there’s no expectation of privacy in cell location info because — like the government has argued in other cases — everyone should know their phones are acting as ad hoc government tracking devices. [TechDirt] [The ruling is here]

CA – Cases Highlight Legal Debate Over Texting Privacy Rights

The Ontario Court of Appeal is being asked to determine what privacy rights exist in the content of an individual’s text messages when they are obtained by police through the seizure of the phone of the recipient and not that of the sender. It is only the second time that the status of text messages on another person’s phone has been before an appellate court. The B.C. Court of Appeal ruled last year that there are privacy interests for the sender of the communications. At the Ontario Court of Appeal, the issues have been raised in two cases that are being heard together this week. The argument there is no privacy right once a text message has been sent is a very “old school” notion based on control, which does not fit with modern communications, says Laura Berger, acting director of the public safety program at the Canadian Civil Liberties Association. “For an increasing percentage of Canadians, especially younger people, text messages are supplanting voice telephone calls. We need to ensure that privacy protections in place [for phone conversations] are not diluted because of changes in technology,” says Berger. [Law Times]

US Government Programs

US – ODNI Signs Transparency Charter; NSA Sharing Plan Worries Rights Groups

Director of National Intelligence James Clapper signed a charter that formally transitions the Intelligence Community Transparency Working Group into the now permanent IC Transparency Council. Senior officials from across the intelligence community have comprised the working group, which was created two years ago. The council will oversee the Transparency Implementation Plan and ensure that transparency “becomes a comprehensive and sustainable practice” throughout the intelligence community. CSM Passcode reports privacy and civil liberties groups urge the NSA and DNI Clapper to reconsider a proposed data-sharing plan with other law enforcement agencies. Meanwhile, the surprise resignation of David Medine could spell trouble for the Privacy and Civil Liberties Oversight Board. Medine was the only full-time member of the five-member panel. [Full Story]

US Legislation

US – Legislative Roundup

Workplace Privacy

CA – OPC Issues Guidance on How to Prevent Employee Data Snooping

Six years ago a bank employee was caught going through the financial records of another staff member who was in a relationship with her ex-husband. The spying had been going on for four years. In another case hospital employees were caught selling patient data for their own gain. With organizations holding huge amounts of personal data on staff and customers, employee snooping — for curiosity or money — is tempting. The federal privacy commissioner suggested 10 ways employers can prevent staff spying on personal data. “Employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization,” the report warns. “By taking the appropriate steps to address this risk … organizations can go a long way in advancing their reputation as a privacy-conscious business, and more importantly, protect their valued customers’ information, with which they have been entrusted.” [Source] See also: [New OPC Guidance regarding Privacy Impact Assessments: At Two Pages, Why Bother?]

CA – Staff Have Privacy Rights Even if Company Provides Devices, CPOs Told

Talk, not spy technology, should be one of the first weapons employers should use if they suspect employee misuse of enterprise devices or data, two lawyers have told a privacy law conference. “I would be cautious about using all kinds of fun and highly efficient but intrusive technologies to monitor your workers’ productivity,” Emma Phillips, a partner at the Goldblatt Partners LLP law firm, told chief privacy officers in Toronto on Thursday. If management has a reasonable belief there’s been misconduct Canadian law potentially allows staff or a device to be monitored, she added, as long as its done in a reasonable way — for example, don’t install keystroke loggers before warning an individual what inappropriate behaviour is, or put up surveillance cameras that cover broad areas where employees work. [IT World Canada]

WW – Cybersecurity Remains Biggest Barrier to BYOD Adoption: Study

Crowd Research Partners’ recent 2016 BYOD and Mobile Security Report, surveying more than 800 global cybersecurity professionals, reveals that 39% of respondents consider security one of their greatest concerns surrounding bring-your-own-device adoption. An additional 12% expressed fears that BYOD would diminish employee privacy, the report states. The study “reveals that enterprise security risks and mobile data breaches are on the rise.” While these threats are serious, they also pose as “an opportunity for organizations to implement effective cybersecurity solutions to strengthen their security posture and capitalize on the promise of enterprise mobility.” [Security Brief NZ]



26 March – April 1, 2016


US – NTIA Face-Recognition Privacy Talks Blasted as ‘Orwellian Farce’

The U.S. Commerce Department’s National Telecommunications and Information Administration held a meeting last week in its ongoing multistakeholder effort to establish face-recognition technology data best practices, and the results disappointed privacy advocates. Advocates argue that representatives from the technology industry “hijacked” discussions on privacy, the report states. The result? “This is no longer a multistakeholder process,” said the Center on Privacy& Technology. “It is an industry stakeholder process. These draft guidelines are a direct consequence of that decision.” Lack of privacy in this sphere is particularly egregious as “you cannot delete your face.” [IB Times]

Big Data

EU – Security Risks Can Be Mitigated with Robust Access Control and Encryption

The EU Agency for Network and Information Security (“ENISA”) examined the security challenges of and best practices for Big Data. Big Data-related security risks include access control and authentication, secure data management, source validation and filtering, and application software security; mitigating measures include strong and scalable encryption, mandated purchasing from authentic suppliers, use of security standard-compliant devices, and assigning confidence levels on endpoint sources. [ENISA – Big Data Security]


CA – Feds Consulting on Open Government and Access to Information

Treasury Board President Scott Brison invited Canadians to participate in public consultations to help deliver the Government of Canada’s agenda for more openness and transparency. In the context of open dialogue, this series of consultations will be used to develop Canada’s 2016-18 strategy on open government, to be released this summer. Beginning May 1, the Government will also be seeking input from Canadians on how best to implement its commitments to improve the Access to Information Act. Minister Brison will kick-off the consultations on open government by hosting a Google Hangout with leading experts and leaders on April 6. [Source]

CA – Spy Agency Watchdog Facing Huge Budget Cuts

The Security Intelligence Review Committee, which reviews select activities of CSIS, expects to lose, on average, $2.5 million annually in funding starting next spring. The confusion comes as CSIS increasingly flexes its new powers granted under last year’s Bill C-51 national security legislation. The service had long been limited to collecting and analyzing national security intelligence for government, but is now empowered to actively disrupt suspected threats to security and to exchange and collate information on suspect Canadians with other federal departments and agencies, which was not possible before C-51. [National Post]

US – Federal Agencies Sharing Information Under Bill C-51 Provisions

At least four federal agencies have used controversial information-sharing powers in Canada’s new anti-terrorism law, internal government documents show. Privacy commissioner Daniel Therrien said Bill C-51 set the threshold for sharing Canadians’ personal data far too low. It’s not surprising that agencies have begun using the information-sharing act, said University of Ottawa law professor Craig Forcese. “The risk is that it’s being used in ways that are going to be difficult to predict because of the overbreadth and uncertainty of that act, and it’s going to be used in ways that are difficult to police,” said Forcese, co-author of False Security, a book that squarely criticizes the omnibus bill. “It’s added complexity to a complex problem rather than simplifying life.” [Source] [Canada’s new ‘anti-radicalisation’ office met with caution by Muslim community]

CA – Guidance on How CSIS Should Use Anti-Terror Bill C-51 Largely Secret

The federal government has issued guidance to Canada’s spy agency on using contentious new anti-terrorism laws — but most of the instructions won’t be made public. Many passages of the ministerial direction to the Canadian Security Intelligence Service, issued last July, were withheld from release due to provisions of the Access to Information Act concerning security, internal deliberations and cabinet confidences. The federal decision to keep much of the ministerial direction under wraps did nothing to reassure those with concerns about C-51, the omnibus security bill that received royal assent early last summer. The legislation gave CSIS the power to actively disrupt suspected terrorist plots, even allowing the spy service to take actions that breach the Charter of Rights and Freedoms as long as a judge approves. “One of our greatest concerns with C-51 is that CSIS has been given extraordinary new powers, including the power to break the law and violate the Constitution,” said Josh Paterson, executive director of the British Columbia Civil Liberties Association. [Source] [How is the Liberal government using Bill C-51? Good question ] [We Must Question The Timing Of This Terrorism Case ]

CA – BC OIPC Launches Investigation on Phone-Monitoring Tool

BC Privacy Commissioner Elizabeth Denham has kicked off a closed-door inquiry of a surveillance tool known as Stingray, which impersonates a cellphone tower in order to deceive any phone within range and obtain data, possibly storing everything it receives. Law enforcement officials from all over Canada aren’t saying if they use Stingray, as the police work to keep their mass surveillance systems under wraps. The BC Civil Liberties Association’s Micheal Vonn condemned the use of Stingray by police: “What we’re saying here is, does it help to collect the data of tens of thousands of individuals that aren’t the subjects of police investigation? No, of course it doesn’t help.” [Full Story] See also [Maryland Court Says Police Must Disclose Stingray Purpose Before Use]

CA – BC Privacy Commissioner Offers Parting Advice

As Information and Privacy Commissioner Elizabeth Denham prepares to move on to a national posting in the UK, she’s got in mind what the B.C. Liberals could give her in lieu of their tentative offer of a second six-year term here at home.

  • Lobbying reform: Denham’s biggest ask is to change the legislation so what is registered is actual lobbying and not prospective lobbying, “It would make enforcement of the law so much more practical and easier for my office. It would also, I think, help lobbyists because they have to register anyone they might prospectively lobby. It would be more meaningful for the public to be able to see actual lobbying and not prospective lobbying. “
  • Denham favours a stand-alone law governing both public and private health care providers. She also says B.C. should follow other provinces and legislate fines of up to $50,000 for unauthorized snooping by health care staffers. “They’re supposed to look at health information for their own patients, not look up information on celebrities, not look at their ex-spouse’s health information,” said the privacy watchdog. “It’s a serious problem of trust in the system, and we need higher penalties and enforcement.”

Denham is also calling for tougher penalties for the deliberate destruction of public records. Her landmark report from last fall, Access Denied, highlighted a series of concerns in that regard. It also led to recent charges against a government staffer for misleading the commissioner about the destruction of records. The charges are not about the action of unauthorized destruction of records,” explained Denham. “We need that in the Freedom of Information and Protection of Privacy Act. We need an offence provision, and we need the associated penalties.” [The Vancouver Sun]

CA – Legal Community Masses Forces for Set Piece Battle Over Privilege

Organized bar groups are massing at the Supreme Court of Canada again to repel what they contend are state attacks on the adversarial justice system. “When, and under what circumstances, can a regulator pry into a lawyer’s litigation brief, while the litigation is still under way, in order to examine the lawyer’s litigation strategy, trial preparation and other material collected or prepared for the dominant purpose of actual or apprehended litigation?” “If the court finds that litigation privilege can be abrogated by inference, it would expose lawyers’ briefs to regulatory scrutiny while litigation is still under way, in the absence of clear and explicit statutory language. This would dramatically expand the circumstances in which regulators could access information protected by litigation privilege.” [Lawyers Weekly]

WW – Software Flags ‘Suicidal’ Students, Presenting Privacy Dilemma

Ontario Christian Schools (OCS) is a private K-12 school near Los Angeles with about 100 children per grade. Three years ago, the school began buying Google Chromebook laptops for every student in middle and high school. The students would be allowed to take them home. Although Google software, like that of other companies, comes with virus protection and the ability to filter search results and block certain Web sites, Ontario Christian Schools turned to a third party to provide an additional layer of security: a startup called GoGuardian. GoGuardian helped school leaders create a list of off-limits websites: porn, hacking-related sites and “timewasters” like online games, TV and movie streaming. The software also has another feature: It tracks students’ browsing and searches whenever they are using the computer, at home or at school. That’s how OCS was alerted that a student appeared to be in severe emotional distress. Suicide is the third leading cause of death among youth aged 10 to 24. Said a research fellow at NYU’s Information Law Institute and an expert on student privacy and data. “This is a growing trend where schools are monitoring students more and more for safety reasons,” she says. “I think student safety and saving lives is obviously important, and I don’t want to discount that. But I also think there’s a real possibility that this well-meaning attempt to protect students from themselves will result in overreach.” This type of dilemma is almost certainly going to become more common, as school-owned devices and laptops proliferate. In 2015 alone, according to a report released this month, U.S. K-12 districts bought 10.5 million devices like laptops and tablets, a 17.5 percent increase over the year before. [NPR] See also: [Student Privacy at Risk Absent Better Training for All] [U.S. Department of Education guidance]


WW – New ‘Commerce VPN’ Site Aims to Make Online Shopping Safer

Launched yesterday, is a VPN for netizens’ credit cards, aiming to spare online shoppers from the fear that their information is stolen, used in targeted ads, or otherwise employed improperly. The site “drops in a one-time credit card number with no connection to you personally” come check out, making it appear as if is the buyer. The site also permits a debit account shopping system, like PayPal, as well as pseudonyms. While the system isn’t bullet proof, the report states, “you get a new layer of insulation from the world of online fraud.” [The Verge]

WW – Internet Users Don’t Understand Security or Privacy: Survey

Canadian think-tank CIGI (the Centre for International Governance and Innovation) reckons ordinary citizens are more comfortable with government oversight of the Internet and their privacy than, for example, Apple. In an international survey (24,000 respondents in 24 countries), the group claims

  • more than 70% want the “dark net” shut down (which rests on the assumption that 70% of people actually know what the “dark net” is).
  • 26% of users don’t trust their governments at all over monitoring their communications without their knowledge (something not highlighted in either of the two CIGI-Ipsos media releases).
  • Only 8.47% of respondents said they trust their governments completely (the citizens that most trust their governments were in Tunisia, at 27%, and Pakistan, at 21%).
  • most respondents don’t understand that unbreakable encryption protects things like their online banking and shopping, as well as protecting criminals: 60% of Americans and 63% of the total sample reckon “companies should not develop technologies that protect law enforcement from accessing the content of a user’s online data”.
  • Regarding access to citizens’ data, the survey says 70% over users think agencies should have access to citizens’ content for “valid national security reasons” (emphasis added), versus 30% who disagreed. [The Register]


US – FTC Signs Agreement with CRTC to Fight Unlawful Spam

The FTC signed a memorandum of understanding with the CRTC in regards to enforcing commercial email and telemarketing laws. The MOU is effective March 24, 2016. The agreement requires both the FTC and the CRTC to limit retention of shared materials, safeguard any shared information containing PII (by using encryption, using a courier with tracking capabilities, using password-protected files for electronic information and locked storage for hard copies, and redaction of publicly released materials), and notify each other of any breaches. [FTC – MoU between the US FTC and the CRTC on Mutual Assistance in the Enforcement of Laws on Commercial Email and Telemarketing| [Press Release]

WW – Google Enhances Gmail Security

Google has made some changes to Gmail to protect users from malicious links and state-sponsored attacks. When users click on suspicious links that arrive in email, Gmail will display a full-page warning them that visiting the site could harm their computer. Users will be able to choose to click through to the site. Google will also display a full-page warning when it believes state-sponsored attackers have targeted users. Google’s blog post also notes the company’s participation in submitting a draft IETF specification for SMTP Strict Transport Security, which aims to “ensure TLS encryption works as intended.” [SC Magazine] [Google Blog]

WW – The Dream of Usable Email Encryption Is Still A Work in Progress

In 2014, in the aftermath of the Edward Snowden revelations, Google and Yahoo, the two largest email providers in the world, promised to change that once and for all with a browser plugin that would make sending encrypted emails so seamless anyone could use it. Yet, Google and Yahoo’s projects on secure end-to-end encrypted email have yet to see the light of day. That’s why some are starting to question how much Google and Yahoo really care about making this happen. In recent interviews with Motherboard, both companies publicly renewed their commitment. “Engineers from Google, Yahoo, and the open source community continue to work together on the End-To-End Mail extension project. It remains a work in progress,” a Google spokesperson said. A Yahoo spokesperson said the team of new security chief Bob Lord “is still cranking on it,” and pointed to the fact that the company even mentioned the project in its amicus brief in support of Apple in the case of the San Bernardino shooter. Neither of the companies, however, dared to venture a prediction on when the final product would be released. [Motherboard]

Electronic Records

US – CyberSecurity Information Sharing Is Here to Stay

The adoption of the Cybersecurity Information Sharing Act in the U.S., among other initiatives both in the U.S. and internationally, are “likely to bring about a significant change in the way information sharing and collaboration works.” Paired with emerging technical standards that “promise to enable efficient information sharing at scale,” we will begin to see how “cyber-threat intelligence is poised to transition from a revenue-generating resource to a public good.” [Hogan Lovells]. See also: [New NIST working group born out of IoT complexities] See also: [Canadian Federal privacy commissioner will watch threat information sharing, says OPCC official] and [IIROC to Focus on Dealer Members’ Cyber Threats Preparedness]

AU – Vic CPDP ‘Catastrophic’ Impact of Info Sharing Failures

Failure to share information effectively between agencies can have “catastrophic consequences”, the report of the Royal Commission into Family Violence has found. It’s not news for Victoria’s Commissioner for Privacy and Data Protection, David Eatts, who said. “It’s disappointing that it takes a royal commission to highlight these issues, because they’re issues our office has been pointing out ever since I was appointed.” Privacy law is often blamed for different agencies being unaware of risks raised elsewhere. Stories abound of justice, drug and alcohol and child protection services, for example, failing to speak to one another and pick up clear warning signs that may have prevented serious harm. But, while the legislation is complicated, Watts argues it’s the overly legalistic and risk averse approach to privacy law, rather than the law itself, that’s the primary problem. Watts’ comments align with those made by his New South Wales counterpart Elizabeth Coombs last year, who argued the problem is with misunderstandings of privacy law, rather than the law itself. [The Mandarin]


US – FBI Unlocks iPhone Without Apple’s Help

The FBI has managed to crack the iPhone in the San Bernardino case without intervention from Apple. The Justice Department has dropped its legal case against Apple and “has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone.” [CS Monitor] [ZDNet] [ArsTechnica] [Bloomberg] [Wired] [ComputerWorld] See also: [Apple scrambles to restore iPhone security after losing privacy fight]

EU – Silicon Valley Faces Encryption Fight in Europe

There are growing calls in some European countries for access to encrypted communications in the wake of recent terrorist attacks in the region. Though Apple is in a highly publicized debate in the U.S. about encryption in its devices, the company, along with other companies employing the security technology, may find similar fights in Europe. French lawmakers plan to debate new intelligence laws this week, and the U.K. is currently embroiled in the proposed Investigatory Powers Bill, which would give broad new powers to law enforcement. Other countries, however, including Germany and the Netherlands, do not back laws that would mandate access to encrypted devices. In the U.S., Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., are seeking support for their encryption legislation. Rep. Jackie Speier, D-Calif., has released a new bill that would require personal information before purchasing a so-called “burner phone.” [New York Times]

EU Developments

US – Bulk Surveillance Court Cases Could stymie Privacy Shield

The Article 29 Working Party is reportedly looking into three cases that will be heard by the European Court of Justice in weighing its own opinion as to whether the EU-U.S. Privacy Shield is valid. According to Reuters, four individuals familiar with the group’s deliberations said the regulatory body is looking at an airline passenger data sharing pact with Canada as well as two other cases involving data retention by telecommunications companies. According to the report, the three cases are relevant to the Shield because they involve restrictions on bulk surveillance. A senior U.S. government official said, “We have negotiated the Privacy Shield based on the current state of law in the EU … If the law changes, we’ll have to go back and relook at how we handle these things.” [Reuters]

Facts & Stats

US – ACLU Maps DoJ Use of All Writs Act to Force Techs to Crack Devices

The Justice Department said tech companies have accessed phones for it before. So the ACLU tried to find all the cases.  The ACLU on Wednesday published court documents and an interactive map for what it said were dozens of instances when the U.S. government tried to compel tech companies to unlock customer devices, offering a fairly comprehensive look at where and under what circumstances law enforcement sought what now might be seen as controversial help. The civil liberties group said it had confirmed 63 such cases and suspected there could be up to 13 more based on its review of court documents and public statements by government and tech company officials. The ACLU said it published the map to stoke public discussion about the use of the All Writs Act. It is also pursuing a Freedom of Information Act request to learn more. [Washington Post]


US – Effects of Copyright Takedown Abuse on Online Free Expression” Study

Three of America’s sharpest copyright scholars have released a landmark study of the impact of copyright takedowns on free expression in America: Notice and Takedown in Everyday Practice, by Jennifer Urban (UC Berkeley), Joe Karaganis (Columbia), and Brianna L. Schofiel (UC Berkeley) uses detailed surveys and interviews and a random sample from over 100,000,000 takedown notices to analyze the proportion of fraudulent, malformed or otherwise incorrect acts of censorship undertaken in copyright’s name, using the Digital Millennium Copyright Act’s takedown procedure. The DMCA is nearly 20 years old, and even before it was passed into law, virtually everyone who was paying attention said that creating a system that allows anything online to be censored through copyright infringement accusations, without due process or even penalties for getting it wrong, would get us into trouble. Now the evidence is in, and it couldn’t be more damning. [Source]

WW – Egypt Blocks Facebook Internet Service After Surveillance Request Denied

After Facebook allegedly prohibited the Egyptian government from using the company’s Free Basics Internet as a surveillance tool, the government blocked the service altogether. Free Basics provides Internet use to those in poverty-stricken areas for free, and Facebook launched the Egyptian version in October of last year. By December, the government suspended the site, saying at the time that permit issues were to blame. Yet sources “close to the situation” maintain that Facebook “was blocked because the company would not allow the government to circumvent the service’s security to conduct surveillance,” the report states. [Reuters]


WW – Panama Papers: Mossack Fonseca Leak Reveals Elite’s Tax Havens

A huge leak of confidential documents has revealed how the rich and powerful use tax havens to hide their wealth. Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca. They show how Mossack Fonseca has helped clients launder money, dodge sanctions and evade tax. The company says it has operated beyond reproach for 40 years and has never been charged with criminal wrong-doing. The documents show links to 72 current or former heads of state in the data, including dictators accused of looting their own countries. Gerard Ryle, director of the ICIJ, said the documents covered the day-to-day business at Mossack Fonseca over the past 40 years. “I think the leak will prove to be probably the biggest blow the offshore world has ever taken because of the extent of the documents,” he said. [BBC]


CA – OIPC BC Opposes Many Recommended Amendments to FOI Legislation

The OIPC responded to the recommendations made to the committee reviewing British Columbia’s FIPPA. The OIPC rejects a number of recommendations as unnecessary; the Law Society’s recommendation to exclude from disclosure to the OIPC all records subject to solicitor-client privilege is rejected because such disclosure may be necessary in the course of the OIPC’s functions and is subject to existing statutory confidentiality safeguards. The OIPC recommended that the law be amended to require a public body to automatically waive fees when it fails to meet its legislated timeline for responding to a request. [OIPC BC – OIPC Response to Stakeholder Recommendations to the Special Committee to Review the Freedom of Information and Protection of Privacy Act]

US – Study Offers Best Practices for Transparency Reporting: Institute

A new report from the Open Technology Institute at New America and the Berkman Center for Internet & Society at Harvard University examines best practices for transparency reporting. “The Transparency Reporting Toolkit: Survey & Best Practice Memos.” is a compilation of eight memos highlighting challenges major U.S. Internet and telecommunications companies face when reporting on law enforcement and government requests for user information. Transparency reports came into prominence after the Snowden leaks in 2013, but the study says technology companies, including Google, Twitter and Microsoft, have not utilized best practices when crafting these reports and it is therefore hard to compare metrics. “By conducting this survey, we’ve laid the groundwork for stronger and more comprehensive transparency reporting on government requests for user data and information,” said the Open Technology Institute. [Source] See also: [Reddit removes ‘warrant canary’ from transparency report] [ACLU released an online map tracking instances of the government’s abuse of the All Writs Act.]

CA – Why Was NEB Deleting an Email Sent In the Middle of the Night?

Canada’s pipeline watchdog is under investigation by Parliament’s information commissioner for deleting an email that drew attention to a mistake made by an employee, said the National Energy Board (NEB). An internal NEB email revealed that the employee who made the mistake was the pipeline regulator’s head of security. The NEB staff believe the deleted email contained references to how the regulator’s top security official had given personal information about a co-worker to a private investigator. But the email disappeared from the records of the Calgary-based NEB after a senior bureaucrat instructed staff to delete it. People can go to jail or pay hefty fines in the thousands of dollars for deleting records of the federal government’s day-to-day business and operations, under Canada’s access to information legislation. The NEB denied it broke the law. An NEB spokesman said that the contents of the deleted email had revealed it shared information about its employee with a potential contractor without verifying the firm’s security clearance. The spokesman also told National Observer that NEB staff decided to delete the email to mitigate the risk of “harm” caused to the employee whose name was mentioned in the correspondence. [National Observer] Fifth in an in depth series about the National Energy Board. Part I here, Part II here, Part III here, Part IV here.

WW – Microsoft Transparency Report for Second Half of 2015

Microsoft’s transparency report for the second half of 2015 shows that the company received 11% more legal requests for information than it did in the first half of last year. In all, law enforcement agencies made 39,083 requests for information regarding 64,614 accounts. Microsoft provided subscriber data for two-thirds of the requests. In two percent of the cases, Microsoft surrendered content, such as email, instant messages, and data stored in OneDrive. Microsoft also received 505 emergency requests for information. [ZDNet] [MSFT blog] [MSFT Transparency Hub] [New Microsoft Transparency Report Includes Revenge Porn Removal Stats]


US – Law Enforcement Investigators Seek Out Private DNA Databases

Investigators are broadening their DNA searches beyond government databases and demanding genetic information from companies that do ancestry research for their customers. Two major companies that research family lineage for fees around $200 say that over the last two years, they have received law enforcement demands for individual’s genetic information stored in their DNA databases. and competitor 23andme report a total of five requests from law agencies for the genetic material of six individuals in their growing databases of hundreds of thousands. turned over one person’s data for an investigation into the murder and rape of an 18-year-old woman in Idaho Falls, Idaho. 23andme has received four other court orders but persuaded investigators to withdraw the requests. The companies say law enforcement demands for genetic information are rare. [Associated Press]

Health / Medical

US – FTC’s Rich Outlines Health Data Protection Efforts, Calls for More Authority

Jessica Rich, the director of the FTC’s Bureau of Consumer Protection, gave testimony to the House Subcommittee on Information Technology and the Subcommittee on Health, Benefits, and Administrative Rules of the Oversight and Government Reform Committee last week, explaining the Commission’s current efforts to safeguard consumer health data, while reinforcing the Commission’s request for expanded authority to go further. Rich spoke about the FTC’s concerns regarding the large amounts of health information data generated on platforms such as websites, wearable technologies and communication portals. While those technologies are not covered under HIPAA, they do fall under FTC jurisdiction. Rich said the Commission has addressed health data privacy and security issues through enforcement, policy initiatives and education, but believes the organization can be more effective in stopping unfair and misleading practices if Congress passes regulation strengthening the Commission’s existing data security authority. [Full Story]

US – Hospital Settles Largest Per Plaintiff Breach Payout in History

A judge ruled that California-based St. Joseph Health System must pay more than $28 million to settle a 31,074-plaintiff class action suit, the largest per-member settlement in data breach history. This result comes after U.S. District Judge Kenneth Hoyt dismissed a similar suit against the organization in 2015, calling the plaintiff’s concern over “heightened risk of future identity theft” insufficient grounds for legal action. As a result of the 2012 breach, the settlement requires defendants to allot $7.5 million for plaintiffs, $7.4 million for lawyers’ fees, $4.5 million for credit monitoring services, and $3 million for identity theft compensation. [Source]

US – Nurse Hands Over License After Texting Compromising Patient Picture

A New York nurse surrendered her license to practice after snapping pictures of an unconscious patient’s genitals and sending them to peers via text. The surrender was part of a plea deal in which Kristen Johnson pleaded guilty to misdemeanor disseminating of unlawful surveillance photos. Her conviction marked the conclusion of a nine-month, Onondaga County District Attorney’s Office investigation after co-workers complained about her texts. [CBS 6 Albany] Police: Former Upstate nurse took pictures of patients’ intimate parts while unconscious | Central NY nurse loses license over cell phone photo]

US – MedStar Health System Infected with Malware

Washington-Baltimore area healthcare provider MedStar Health has shut down some of its computer systems following a malware infection. The organization says its clinical facilities are still open. MedStar operates 10 hospitals and more than 250 outpatient facilities. The FBI is investigating. [eWeek] [The Hill] [Reuters]

Horror Stories

US – Verizon Customer Data Breach

Verizon has acknowledged that a breach of its Verizon Enterprise Solutions unit compromised customer data. Verizon Enterprise Solutions helps companies respond to data breaches. Last week, a post on an underground cybercrime forum offered 1.5 million Verizon Enterprise Solutions customer records for sale. Verizon says the compromised data are “basic contact information [of] enterprise customers.” [Krebs] [eWeek]

US – University of Central Florida Spends $110,000 After Computer Hack

A computer hack affecting the personal information of 63,000 people at the University of Central Florida resulted in a nearly $110,000 invoice for the month of February. The costs include $64,000 to operate the call center where students and staff could learn if their information was compromised, and another $45,000 to print and mail packets warning people of the hack. UCF says their cybersecurity insurance, which comes from an outside company, covered the costs. While UCF has worked to help the victims, the university still faces lawsuits in the aftermath of the data breach. [WFTV 9]

Identity Issues

CA – Ottawa Man Claims Identity Stolen Using Canada Post Website

Mike Wood says someone stole his identity and changed his mailing address using Canada Post’s website. When he called Canada Post, he was told his mail was being forwarded to another address, after someone paid $117 to make the change online. Wood said the postal service official wouldn’t tell him where his mail was ending up, and that police told him they couldn’t help without that information. Wood said Canada Post told him whoever apparently stole his identity would have had to answer multiple security questions. He’s not sure how that’s possible. He added that a Canada Post representative also told him that tax season is a common time for identity theft, because tax forms include social insurance numbers. Canada Post wouldn’t comment about the case, beyond confirming that they are investigating. [CTV News[

Internet / WWW

US – Hogan Lovells Issues Legal Analysis of the EU-U.S. Privacy Shield

Law firm Hogan Lovells has released a 60-plus-page “Legal Analysis of the EU-U.S. Privacy Shield,” whereby the report’s authors assess the likelihood the Shield will withstand legal challenge by referencing jurisprudence of the Court of Justice of the European Union. Their conclusion? “[T]he Privacy Shield Framework provides an ‘essentially equivalent’ level of protection for personal data transferred from the EU to the U.S.” The assembled lawyers, on both sides of the Atlantic, set up “detailed and complex criteria” for assessing the Shield, and “in every instance, we have concluded that each criterion is met.” [HLDA] See also: [Why the cloud makes the EU-US Privacy Shield meaningless  ]

Law Enforcement

CA – Town of Banff Considers RCMP Traffic Camera Use

Banff RCMP want to use the Town of Banff’s downtown traffic cameras to help them solve crimes and nab crooks. At a council meeting last week, council considered a proposal from Banff RCMP to use the traffic cameras to help them solve crimes, but issues of personal privacy first need to be addressed. Town council unanimously directed administration to return with a report considering the Freedom of Information and Protection of Privacy Act (FOIP) implications of using the traffic cameras to help solve crimes. “Banff has a very low crime rate and we live in a very safe community,” said Councillor Karlos Stavros, who voiced support for the move. “We’re not talking about active surveillance at all. It’s about the ability to provide evidence for cases.” The Town of Banff’s traffic cameras, set up at various intersections in the downtown core, are currently used only to capture traffic data to help monitor traffic flow and overall traffic management. One of the camera types takes a still photo every minute and also has potential to take video. Currently, no personal information such as licence plate numbers or car occupant faces is recorded. Banff RCMP wants to expand the purpose of the traffic camera systems, not for ongoing surveillance, but as an investigative tool. [Source]

Online Privacy

EU – France Fines Google Over ‘Right To Be Forgotten’

The French data protection authority said it has fined Google €100,000 for not scrubbing web search results widely enough in response to a European privacy ruling. The only way for Google to uphold the Europeans’ right to privacy was by delisting inaccurate results popping up under name searches across all its websites, the Commission Nationale de l’Informatique et des Libertes (CNIL) said in a statement. [Reuters] [CNIL – Deliberation No. 2016-054 – Google Inc] [Press Release]

Other Jurisdictions

WW – MSFT Creates Special Chinese Government Version of Windows 10

Microsoft is now ready to roll with a version of Windows 10 designed specifically for the Chinese government, it has emerged. Back in December, Microsoft and China Electronics Technology Group Corp  announced they were setting up a Beijing-based joint partnership called C&M Information Technologies. The new organization will develop a specific build of Windows 10 for Middle Kingdom mandarins. This version will be “a government-approved Windows 10 image, including Chinese capabilities such as government selected antivirus software,” and be made available to “state-owned enterprise customers” including “government and critical infrastructure.” C&M “will provide product activation, patch management, deployment services and product support, as needed, to these government customers.” It will also “collect feedback from these government customers on their specific use requirements to inform the creation of the successive updates of the government Windows 10 image, which may be developed by the joint organization.” Presumably this feedback won’t include all the data Windows 10 routinely sends back to Redmond; this telemetry will likely be curtailed seeing as it’s an enterprise-friendly build. [The Register] See also: [US Navy paid millions to stay on Windows XP]

Privacy (US)

US – FCC Votes To Propose New Privacy Rules for ISPs

FCC Chairman Tom Wheeler moved yet another of his controversial proposals forward last week. The commission voted on party lines, 3-2, to advance a proposed rule imposing strong privacy regulations on ISPs. Wheeler wants to improve how ISPs treat individuals’ privacy when the market makes customer data immensely valuable. That data can give providers and analysts a perfect picture of the details making up a person’s everyday life, and the commission’s majority thinks that’s intrusive. The proposed rule would obligate companies to tell their customers what information they collect, how and if they share it with third parties, and how customers can change those privacy preferences. The proposal also would allow ISPs to use consumer data to sell other communications services or share it with outside marketers in that field. But it would allow customers to opt out of those practices. This is only the beginning. Before officials begin drafting final rules, they’ll need to wait for comments from industry members, think tanks and the general public. It’s a controversial idea. Republicans on the commission, GOP lawmakers in the House, and even members of the broadband industry have all pushed back on the proposed rule. The Republican commissioners were vocal about their dissent. The FTC already regulates privacy. [Source] [FCC OKs Proposed Privacy Rules With a Lot of Pushback] [How The FCC’s Proposed Privacy Rules Would Create A False Sense Of Consumer Privacy] [FCC Sparks Turf Wars As It Raises Washington Profile] [EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules]

US – FTC to Host Fall Seminar Series on Emerging Consumer Technology Issues

The FTC will host a series of seminars this fall to examine three new and evolving technologies that are raising critical consumer protection issues. The FTC Fall Technology Series comprises three half-day events that will explore ransomware, drones, and smart TV. In 2014, the Commission held a series of seminars examining the privacy implications of mobile device tracking, consumer generated health data, and alternative scoring techniques. [Drone bazooka is here]

FTC Fall Technology Series: Ransomware – 9 a.m. to noon, September 7, 2016

FTC Fall Technology Series: Drones – 9 a.m. to noon, October 13, 2016

FTC Fall Technology Series: Smart TV – 9 a.m. to noon, December 7, 2016


US – US Federal Agencies and Ransomware

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security (DHS). Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [ComputerWorld: Ransomware Uses Windows PowerShell] [CarbonBlack] [Petya Ransomware Encrypt Master File Table]

US – FBI Seeking Help with Ransomware Investigation

Reuters obtained a copy of a confidential “Flash” advisory, dated March 25, 2016, in which FBI asked companies and security experts for help in its investigation of ransomware known as MSIL/Samas.A. This particular malware tries to encrypt data on an entire network rather than encrypting data on an individual computer. [Reuters] [With regards to Ransomware The Computer Incident Response Center Luxembourg (CIRCL) have released an excellent guide on “Proactive defenses and incident response“] In the wake of a number of high-profile attacks against hospitals, [legislators are moving to update cybersecurity laws to include protection against ransomware threats] [Ransomware not covered by e-health record laws]

US – Three More US Hospitals Infected with Ransomware

Three more US hospitals have disclosed that their systems were hit with ransomware. Methodist Hospital in Henderson, Kentucky information systems director Jaime Reid said the cause of the “Internal State of Emergency” at the hospital was Locky ransomware. Chino Valley Medical Center and Desert Valley Hospital in California were also struck with ransomware; both were operating normally by Wednesday, March 23. [Krebs] [BBC] [ArsTechnica] [NBCNews] See also: [Is Ransomware Considered A Health Data Breach Under HIPAA?]

US – Medical Dispensing Systems Have Remotely Exploitable Flaws

More than 1,400 remotely exploitable vulnerabilities were found in CareFusion’s Pyxis SupplyStation medical dispensing systems. More than half of the flaws found were given a severity rating of high or critical. The issues affect Pyxis SupplyStation versions 8.0, 8.1.3, 9.0, 9.1, 9.2, and 9.3 on Windows Server 2003/Windows XP. Version 9.3, 9.4, and 10.0 running on Windows Server 2008/Windows Server 2012/Windows 7 are not affected. The US Department of Homeland Security’s (DHS’s) Industrial Control System CERT has issued an advisory. [The Register] [SCMagazine] [ComputerWorld] [ICS-CERT Advisory]

US – Investigation Finds Security Gaps in State Department Visa Database

Security gaps discovered in a State Department system could allow hackers to doctor visa applications, or steal sensitive data. Several months ago, the State Department conducted an internal review learning its Consular Consolidated Database, the government’s “backbone” for vetting travels, was in danger of being compromised. The CCD, one of the largest biometric databases in the world, holds the personal information of nearly anyone who applied for a passport. A cyberattack could compromise sensitive information, including photographs, fingerprints and Social Security numbers, making it valuable for hackers looking to steal identities. Hackers could also alter records approving visa applications for individuals linked to terrorism who would normally be rejected. The State Department says it has addressed these concerns, and any vulnerabilities would be difficult to exploit. [ABC News]

CA – Keystroke Loggers Found at Concordia University

Keystroke logging devices were found on several workstations in the Webster and Vanier libraries at Concordia University in Montreal, Quebec. School officials have notified local authorities. [SC Magazine] [University Notice]

WW – Macro Blocking Now Available in Office 2016

Microsoft has added a feature to Office 2016 that allows enterprise administrators to block macros from executing. The feature can be configured for each application and is controlled through Group Policy. It can be used to disable macros in documents that come from the Internet zone. [The Register] [ComputerWorld] [MSFT Blog]


CA – Civil-Rights Group Appeals on Police Use of Cellphone Surveillance

Pivot Legal Society, a British Columbia-based legal-advocacy organization, filed an appeal with the province’s privacy commissioner after Vancouver police refused to disclose documents related to whether they use an invasive technology known as Stingray. …Wednesday was the deadline for interveners to file submissions on Pivot Legal’s appeal. Groups such as the B.C. Civil Liberties Association and OpenMedia argue that police are “stonewalling” attempts by the public to know the extent of the device’s use, which is putting Canadians’ constitutional rights at risk and preventing law enforcement from being held accountable. [Globe & Mail] [B.C.’s privacy commissioner launches inquiry into phone-monitoring device] [Canadian Cops Won’t Say if They Use ‘Stingray’ Mass Surveillance Devices] [Guilty pleas end risk of revealing RCMP surveillance technology]

CA – OIPC AB Finds Condominium Used Surveillance PI for Contrary Purposes

The Alberta OIPC investigated the Grandin Manor Ltd., a condominium corporation, for alleged violations of the Personal Information Protection Act. Unit owners of the condominium provided deemed consent for the collection and use of their personal information by the surveillance system because a majority of owners voted to implement the system and there is proper signage about the use of the cameras; however, personal information from the system was retrieved and used to send a warning letter to an individual for conduct unrelated to maintenance of building security. [OIPC AB – Order P2016-02 – Grandin Manor Ltd]

WW – Surveillance Silences Minority Opinions: Study

A new study published in Journalism and Mass Communication Quarterly found that those who felt their opinions on mass surveillance were in the minority were less likely to express them. The questionnaire exposed some to subtle reminders of government surveillance and others not. Once the idea of government surveillance is introduced, researcher Elizabeth Stoycheff found, participants — even those who indicated they support government surveillance for national security — were less likely to speak out about nonconformist ideas. [Washington Post]

US Government Programs

US – EPIC Scrutinizes DHS “Insider Threat” Database

In comments to the Department of Homeland Security, EPIC criticized a proposed “Insider Threat” database that would gather vast amounts of personal data on a wide variety of individuals outside the federal agency. The database would include information from the Standard Form 86, which is a 127-page questionnaire for national security positions. The form includes SSN, passport and driver license number, and medical reports among other sensitive data. The DHS database will cover broad categories of individuals, including persons who are not under investigation. The database will contain records not only on current and former DHS employees and contractors, but also on family members, dependents, relatives, and personal associates of individuals who are under investigation. EPIC urged DHS to narrow the scope of individuals included in the database and limit the amount of data collected. EPIC also urged DHS to significantly narrow the Privacy Act exemptions for its database and withdraw unnecessary proposed routine use disclosures. The Privacy Act exemptions DHS has proposed would allow the agency to ignore complying with a number of Privacy Act safeguards, including requirements to maintain accurate records and to limit collection to only that information necessary for the detection and prevention of insider threats. Moreover, DHS’s proposed routine uses would allow the agency to disclose database records to numerous entities for purposes unrelated to addressing “insider threats,” including hiring decisions and DHS public relations. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases. s

US Legislation

US – Senate Passes FOIA Reform Bill

The Senate passed by unanimous consent the Freedom of Information Improvement Act of 2015. The bill, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), requires federal agencies to operate under a “presumption of openness,” and places time limits on the FOIA’s Exemption 5. Exemption 5 is most commonly invoked to protect the “deliberative process privilege” of inter- and intra-agency memoranda. The FOIA currently places no time limit on the exemption. The bill also seeks to strengthen the Office of Government Information Services (OGIS) and require new reporting on the use of exemptions and audits of agency FOIA processes. In promoting the legislation, Senator Leahy said the bill “will help open the government to the 300 million Americans it serves and ensure that future administrations place an emphasis on openness and transparency.” The House passed a similar bill in January 2016. Differences between the two versions must now be reconciled before President Obama can sign the bill into law. EPIC and a coalition of open government advocates previously urged the President to support the bipartisan legislation, pressing the President to honor his commitment to an “unprecedented level of openness” in his administration by pushing Congress to update the FOIA. The coalition identified six core ways the FOIA should be updated: (1) codify a presumption of disclosure; (2) require agencies seeking to withhold information to show foreseeable harm; (3) require agencies to weigh the public interest when withholding under Exemption 5; (4) exclude from Exemption 5 records older than 25 years; (5) waive fees when agencies miss statutory deadlines; and (6) expand the role of OGIS.




18-25 March 2016


CA – Trudeau Doubles Counter-Radicalization Spending, Zip for SIRC

The Canadian government is doubling its support for programs to prevent radicalization, but couldn’t find any new cash for the overworked agencies that keep tabs on the country’s spies. Amid controversy last year over Justin Trudeau’s support for anti-terrorism Bill C-51, the Liberals pledged to create an office that would tackle radicalization. In its first budget this week, the government revealed the new office of the Community Outreach and Counter-radicalization Co-ordinator will receive an additional $35 million over five years. The officials say the domestic anti-radicalization money supports “a whole-of-government approach” that involves the RCMP, CSIS, border agents, local governments and community groups. [Source] See also: [Ottawa Citizen: PM Says Not ‘At War’ but Increases Use of Hated C-51 Powers]and [Angus Reid Survey Finds Huge Support for C-51]

CA – Canada Endorses Deal to Share Canadian Banking Records with IRS

Two Liberal cabinet ministers who had criticized a controversial agreement to provide Canadian banking records to the U.S. Internal Revenue Service now say they support the deal. Speaking on the way into a cabinet meeting, Treasury Board President Scott Brison and Transport Minister Marc Garneau rallied behind the position adopted last week by Revenue Minister Diane Lebouthillier, supporting the deal struck under the Harper government that saw 155,000 Canadian banking records shared with the IRS last September. [iPolitics] [Revenue Minister Asked to Testify on Records Transfer to IRS]

CA – Could Take Up To a Year to Swear-in a New BC Privacy Commissioner

Premier Christy Clark’s cabinet may appoint a temporary replacement for B.C.’s privacy watchdog, after the abrupt departure of commissioner Elizabeth Denham caught MLAs who were planning to re-appoint her by surprise. Denham told government this week that the United Kingdom had nominated her as its new information commissioner, and she would leave her B.C. post when her term expires on July 6. The all-party committee of the legislature is now faced with the potentially lengthy process of launching a global search for her replacement, which the committee’s deputy chair admits may not be finished before Denham leaves in July. The normal procedure would be for the all-party committee to make a unanimous recommendation to the legislature, and the legislature to affirm that choice. But if the committee can’t agree on a name before Denham leaves in July, cabinet has the power to slot its own candidate as acting commissioner. That person would serve until the committee makes its choice. The entire process, including legislative confirmation, could take up to a year if government doesn’t convene a fall session. [Source] [BC’s Info and Privacy Watchdog Departs for Britain] [B.C. privacy commissioner Elizabeth Denham moving on to bigger things ]

CA – Alberta Court Finds It Is Not Urgent or Necessary for Law Society to Review a Former Member’s Phone and Computer Records

The Law Society of Alberta sought an order compelling Justin Sidhu to produce records in compliance with the Legal Professions Act. An order compelling access to a former member’s cellphone and computer records following his conviction on charges drug trafficking is denied; if the conviction is upheld on appeal that would be proof of the misconduct and therefore the need for the information is neither urgent nor necessary at this time. [Law Society of Alberta v Sidhu – 2016 ABQB 142 CanLII]

CA – Nunavut Making Little Progress on Access to Info Changes

The Government of Nunavut’s efforts to make the administration of its municipalities more transparent has stalled. That’s because consultations with community governments on how to bring their operations under the Access to Information and Protection of Privacy Act are at a “standstill,” according to Nunavut government documents. “In the past year, consultations with municipalities have been at a standstill due to capacity issues within the ATIPP office,” the GN said in a document tabled March 15 in the Nunavut legislature. In the document, the GN responds to 11 recommendations made by a standing committee of MLAs, which reviewed the 2014-15 annual report by Nunavut’s information and privacy commissioner. [Source]

CA – SCC to Hear 2nd Case Involving Jurisdiction and the Internet

On March 10, 2016, the Supreme Court of Canada granted leave on a second recent case involving jurisdictional issues and the internet: Douez v. Facebook, Inc., 2015 BCCA 279. Douez involved a BC resident plaintiff who sought to sue Facebook for a breach of privacy arising from the use of her name and her portrait without her consent. The proposed class action suit would be based on a claim that Facebook’s practice of featuring the name and image of individuals in relation to certain advertisements amounted to a breach of s. 3 of BC’s Privacy Act—a statutory cause of action which only applied within BC. At first instance, the BC Supreme Court concluded that BC was a proper jurisdiction, was not forum non conveniens, and granted certification. However, on appeal that certification was dismissed. The result on appeal arose from a forum selection clause in the Facebook Terms of Use. Applying the established test from Z.I. Pompey Industrie v. ECU-Line N.V., 2003 SCC 27, the BC Court of Appeal concluded that there was not “strong cause” to decline to enforce the forum selection clause, and therefore stayed the proceeding. As with the recent leave to appeal granted in the Equustek case, the Douez decision explores an important aspect of court jurisdiction over disputes involving online conduct. Where Equustek examined cases not governed by binding terms of service, Douez will provide some parallel insight into situations where terms of service purport to limit the ability of Canadian courts to address online disputes, particularly where such terms may come into conflict with geographically limited causes of action. Given the similar jurisdictional issues raised as between Douez and Equustek, and the proximity in time that the cases were granted leave, it is likely that the court will hear and consider both matters together. [Mondaq]


US – House Lawmakers Launch Encryption Working Group

The Chairmen of two House Committees have announced the creation of an encryption working group to examine the complicated legal and policy issues surrounding encryption; the group will identify potential solutions that preserve the benefits of strong encryption while also ensuring law enforcement has the tools needed to keep Americans safe and prevent crime. The House Judiciary Committee and Energy and Commerce Committee have primary jurisdiction over encryption and the issues it presents for citizens, law enforcement, and American technology companies. [Committee on Energy & Commerce] [FCW]

EU Developments

UK – ICO Releases 12 Step Guide on the GDPR

The UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR. The ICO also launched a new microsite on the GDPR. Here is a summary:

  • Ensure awareness amongst key stakeholders in the organisation.
  • Document the personal data that they hold, where it came from and with whom they share it.
  • Review current privacy notices and put a plan in place for making any necessary changes.
  • Check existing procedures to ensure that they cover all the rights data subjects now have.
  • Look at the various types of data processing they carry out, identify and document legal basis.
  • Ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. [Source] [Press Release] [blog entry]

EU – EDPS Releases Guidance on Information Security Risk Management

The European Data Protection Supervisor has released new guidance on Information Security Risk Management, “which advises EU institutions on how to ensure a secure and trustworthy digital environment for the information that is essential for the functioning of their services.” “The security of personal data is a legal requirement, but it is also necessary in the interests of organisations that rely on the use of information for their daily business … I urge the hierarchies in the EU institutions to engage in the tailored development and use of information security risk management processes to address the specific needs of their organisation.” [EDPS Press Release]

EU – Other European Privacy News


CA – MasterCard and Bank of Montreal Launch ‘Selfie Pay’

Bank of Montreal customers who use MasterCard to make online purchases will be taking selfies for a whole new reason this summer, as BMO becomes the first Canadian bank to support MasterCard’s new Identity Check mobile app, colloquially known as “selfie pay,” the companies announced. So far, around 200 BMO employees with corporate credit cards have been signed up for the biometric-based feature, which complements the company’s existing MasterPass service by using facial recognition and fingerprint scanning technology to verify online payments. [IT Business]


CA – Revised Edition of Sedona Canada Principles is Published

The Sedona Canada Principles are revised in a second edition. Principle 2 (proportionality) has been revised to create a 5-part test for applying the “reasonableness” principle; principle 7 (electronic tools) recommends that the parties agree in advance on the tools to be used, and principle 11 (sanctions) is revised to recommend that the Court consider sanctions where a party fails to meet its discovery obligations. [New Edition of the Sedona Canada Principles for E-Discovery – Kirsten Thompson, Partner, and Nolan Hurlburt, Associate, McCarthy Tetrault]

CA – OIPC BC: Records Fall Outside the Scope of FIPPA and Can Be Withheld

The OIPC BC reviewed a decision by the Office of the Police Complaint Commissioner to deny access to records requested pursuant to FIPPA. For records to be except from FIPPA, due to provisions under the Police Act, they must relate the operational records, but not administrative records; based on the video evidence provided the records at issue are operational records of the Police Complaint Commissioner because they are part of a specific case file and relate to the exercise of the Police Complaint Commissioner’s functions under the Police Act. [OIPC BC – Order F16-13 – Office of the Police Complaint Commissioner]

Health / Medical

US – Next Phase of HIPAA Audits Has Begun

The government’s Phase 2 HIPAA audits began March 21. Phase 2 will consist of 200 desk and on-site audits of both covered entities and business associates. The compliance audits are intended to determine if health-care organizations and their contractors are complying with HIPAA privacy and security rules. The first phase of the HIPAA audits was conducted as a pilot program in 2011 and 2012, focused solely on covered entities, while Phase 2 will include both covered entities and business associates. The desk audits are expected to be completed by December, while the more comprehensive on-site audits will begin later in the year. The OCR has reached nine major settlement agreements regarding HIPAA breaches since last March, resulting in a total of $11 million in fines. Some of the lessons learned as a result of the OCR’s enforcement efforts, included the need for companies to:

  • safeguard all paper records, even if most records have migrated to an electronic format;
  • maintain business associate agreements with all business associates;
  • perform a comprehensive risk analysis of all sources of protected health information, not just electronic health records; and
  • translate the results of a risk analysis into a robust risk management plan.

[OCR fact sheet on the Phase 2 audits] [BNA]

US – GAO Identifies Healthcare.Gov Security Weaknesses

The Government Accountability Office released a report identifying several weaknesses in the security of In a span stretching from October 2013 to March 2015, the Centers for Medicare & Medicaid Services reported 316 security-related incidents affecting the site. The breaches mostly consisted of mailing sensitive information to the wrong recipients and the probing of CMS systems by potential attackers. Despite CMS’ efforts to protect the privacy and security of the data maintained through the systems supporting, the GAO noted various trouble spots, including faults in technical controls that could place sensitive information at risk for unauthorized disclosure and controls that protect data flowing through data hubs. The GAO, however, noted that hackers did not successfully compromise any personally identifiable information during that span. [Full Story]

US – Two Hospitals Held For Ransom

Hackers held the computer systems of two California-based Prime Healthcare Services’ hospitals for ransom last week. A Prime Healthcare spokesman said that the incident didn’t cripple the internal systems, hospitals remained “operational,” and the FBI is investigating the incident. While not elaborating on the ransom, he called the situation “similar to challenges hospitals across the country are facing.” Meanwhile, Chubb’s Global Cyber Risk Practice announced the launch of a ransomware service for policyholders. “Many businesses are not equipped to deal with a cyber-extortion attempt, where the timeliness of the response is even more critical,” said Global Cyber Risk. [Kaiser Health News]

WW – Diagnosis by Smartphone Risks Patient Confidentiality: Researchers

Doctors who photograph skin conditions using unsecured, personal mobile phones could be breaching patient privacy. In an article in the Medical Journal of Australia, researchers say using telemedicine for diagnosing dermatological conditions was popular because it sped up treatment and improved patient outcomes, particularly in regional areas where there are few specialists. However doctors and medical institutions endangered patient privacy, as well as their own indemnity insurance and confidentiality clauses of their employment contracts, if they failed to protect confidential patient records by using unsecured mobile phones and emails. [Source]

Internet / WWW

WW – GPEN Issues 2016 Annual Report

The Global Privacy Enforcement Network (“GPEN”), an informal network of 59 privacy enforcement authorities in 43 jurisdictions around the world, has released its 2015 annual report. Highlights:

  • Launched GPEN Alert, a new information sharing system that enables participating authorities to better coordinate international efforts in protecting consumer privacy.
  • 18 teleconferences held in the Atlantic and Pacific regions to connect authorities and to build and share expertise. Two face-to-face meetings in Ottawa and Amsterdam
  • Third annual Privacy Sweep spotlighted the privacy practices of websites and apps targeted specifically at, or popular with, children. [Report]

Law Enforcement

UK – Police Create Mega Crime Database for “Predictive Policing”

The police are to consolidate a number of their large databases into a single “platform” in order to “protect victims and spot potential links to other crimes.” The plans for a “National Law Enforcement Data Programme” were announced by the Home Office this week and will bring together data from the Police National Computer, Police National Database and Automatic Number-Plate Recognition (ANPR) systems “onto a single platform.” However, last year the legality of the ANPR database – which collects a “record for all vehicles passing by a camera… including those for vehicles that are not known to be of interest at the time of the read“ – was called into question by the Surveillance Camera Commissioner. The National ANPR data centre now holds information on 22 billion car journeys. Other measures contained within the Modern Crime Prevention Strategy (PDF) include an “explicit focus on data and technology” and the use of “predictive policing”. [Source] [UK tech industry welcomes government’s new anti-crime strategy]\

US — Study: Punishments for Police Database Misuse Should Increase

Police who abuse official law enforcement databases must receive stronger penalties, says a civilian oversight agency. A study by the Denver Office of the Independent Monitor documented 25 cases of the city’s police misusing the database in the past 10 years. “These databases contain vast amounts of personal information about the American public, including community members in Denver,” said the agency’s Independent Monitor. “When they are misused, reprimands are not commensurate with the seriousness of that violation, and may not be strong enough to deter future abuse.” [New York Times]

CA – Retired Police Chief Keeps (Unwiped) Work Devices

The City of Hamilton Police Services Board did not delete sensitive data from former Chief Glenn De Caire’s police-issued laptop and mobile phone, items he was able to keep post-retirement. This potential oversight sparked privacy concerns, but law enforcement officials say there’s nothing to fear. “I don’t know whether he downloaded anything,” said the Police Services Board Chair Lloyd Ferguson. “I trust Glenn and I don’t know whether he would’ve saved anything to the hard drive.” That problem is bigger than that, argued Ryerson University’s Ann Cavoukian. “It’s not that we don’t trust the former police chief. It’s that accidents happen,” she said. “I don’t want to suggest otherwise, but nonetheless this material has to be governed by strict policies and protocols.” [CBC Hamilton]

CA – Ontario Provincial Police Investigating Unlawful Prison Surveillance

Correctional Service Canada’s use of surveillance inside a federal prison has sparked an official investigation by the Ontario Provincial Police and a lawsuit from the jail guards. Officials used cell-site simulators, or IMSI catchers, to locate prisoners’ contraband cellphones, but the technology also grabbed private data from the guards’ cellphones as well. Indiscriminate surveillance programs can be considered a violation of the Criminal Code, but lawyers argue that this may be tricky to prove, as there is a lack of legal precedent that exists for prison surveillance. Regardless, “CSC officials have recently stopped giving statements to lawyers pursuing the civil suit,” the report adds. [The Globe and Mail]

Online Privacy

US – Medical Organizations, Facebook Sued in Class Action

In a new class-action lawsuit, plaintiffs claim Facebook spied on users who relayed private health information on major cancer institutes’ websites in order to make profit off the data in advertising revenue. Winston Smith has sued Facebook, the American Cancer Society, the American Society of Oncology and five others alleging Facebook uses the private health data it takes from the medical institutes’ websites, which feature a secret “Facebook code” capable of transmitting users’ data to the social media site, to create targeted advertising campaigns. [Courthouse News Service]

WW – Facebook Appeals to Advertisers Seeking Certain Groups Via Race-Based Marketing

Facebook’s has launched new race-based marketing campaigns. In a recent campaign, ads for N.W.A.’s “Straight Outta Compton” were served in different ways to three different audiences: black, white or Hispanic. Facebook calls it “ethnic affinity” targeting, and it’s been pushing it since 2014. It appeals to advertisers seeking a certain group. But Facebook users aren’t required to declare their racial or ethnic identity in their profiles. A Facebook executive explained that to construct a profile of a user’s identity, the company looks at “indicators” like your interests, friends and organizations you belong to. [Ars Technica]

WW – Adobe Unveils Cross-Device Targeting Co-Op

Adobe has announced plans for cross-device targeting, which would not only notify technologists when the same individual is using different devices, but also provides companies a new way to target ads. To do so, members of the new Adobe Marketing Cloud Device Co-op will share data with each other. “So if Company X has been able to use login data to establish that two devices belong to the same person, other members of the co-op take advantage of that fact and tailor their advertising accordingly.” The plan has sparked privacy concerns, but Adobe said the participating advertisers must opt-in, and the shared data is not personally identifiable. [TechCrunch]

WW – The Impact of Your Data Footprint

It’s no mystery to most privacy professionals, but the impact one’s data footprint can have on everyday life is beginning to be well chronicled in mainstream media. Fast Company published a long-form work on the myriad decisions that are made via personal data, often without the data subject’s knowledge. From the presence of police in your neighborhood (or not) to the potential dates you’re presented with on your dating site of choice to the job you are offered (or not), the report details how data may be impacting your life experiences. The article’s conclusion? “[E]thical considerations need to be guiding us.” [Full Story]

Other Jurisdictions

AU – NSW Statutory Cause of Action for Invasions of Privacy?

The NSW Legislative Council Standing Committee on Law and Justice has recommended in its report Remedies for the serious invasion of privacy in New South Wales the establishment of a statutory cause of action for serious invasions of privacy. The Committee recommended that, in establishing the statutory cause of action, it should be based on the Australian Law Reform Commission’s (ALRC) model detailed in its 2014 report Serious Invasions of Privacy in the Digital Era (which was the subject of considerable focus during the Committee’s inquiry). The report’s recommendations were made by MPs from four parties, including those of the Coalition, so this is clearly an idea in the mainstream of NSW political thought. Nothing will happen, however, until the NSW Government’s response to the report, which is expected by 5 September 2016. [Clayton Utz Insights]

Privacy (US)

US – FTC Fines Data Broker $4,000,000 for Selling Sensitive PI Without Consent

The FTC entered into an agreement with Sitesearch Corporation et alia following alleged violations of the FTC Act. The data broker is permanently restrained from selling, transferring, or otherwise disclosing a consumer’s sensitive personal information to any third party without consent, it must not misrepresent that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v. Sitesearch Corporation – Final Judgment and Order for Injunctive and Other Relief – United States District Court for the District of Arizona]

US – NY Contractor Fined $3.1M for Outsourcing Government PI to India

A New York contractor will pay $3.1 million and undergo oversight for the next five years for violating a contract that involved outsourcing the personal information of millions of individuals to a company in India. Focused Technologies Imaging Services was tasked with digitizing 22 million files maintained by the State Division of Criminal Justice Services, which included fingerprints, Social Security numbers, signatures and dates of birth. For $82,000, the company shipped the files of millions of individuals to an Indian-based company for processing. Though the state contract required Focused Technologies’ employees pass background checks prior to processing as an added protection for the records, the company to which the records were outsourced did not conduct background checks on its employees. [The New York Times]

US – Hulk Hogan Wins $115M in Privacy Invasion Case

A jury awarded former wrestler Hulk Hogan $115 million (About $1,138,613 per second) after finding that news site Gawker violated his privacy by publishing a sex tape of Hogan without his consent. The jury awarded Hogan $60 million for emotional distress and an additional $55 million for economic damages, with the possibility of more. “This is a victory for everyone who has had their privacy violated,” said Hogan’s attorney. University of Miami School of Law professor Mary Anne Franks said, “People are thinking a little bit more about the concept of what is newsworthy, because what’s changed is the concept of who a public figure is.” The case comes a week after sports reporter Erin Andrews won $55 million for having her privacy violated by a stalker. [Reuters]

US – Gawker Hit With $25 Million in Punitive Damages

A Florida jury ruled that in addition to its $115 million fine, Gawker must pay $25 million in punitive damages for posting wrestling star Hulk Hogan’s sex tape online without consent. The jury also required the news outlet’s CEO Nick Denton to pay a $10 million fee. “I think we made history today, because I think we protected a lot of people today who may be going through what I went through,” Hogan said. The company said it would appeal the ruling. “We are confident we will win this case ultimately based on not only on the law but also on the truth,” Gawker said in a statement. [Reuters]

Privacy Enhancing Technologies (PETs)

US – Tool Puts Users in the Data-Access Driver’s Seat

Massachusetts Institute of Technology and Harvard University research teams are developing a tool that gives mobile users the “final say” on how and when their data is accessed by applications. The cryptography-based program, called Sieve, encrypts and stores user information in the cloud, dispensing data-access requests to the user when an application wants to employ the data. [ZDNet]


US – Study: Cybersecurity Pros Hesitant to Share Threat Intel

A new McAfee Labs survey of 500 private-sector companies indicated that more than a third of cybersecurity professionals “remain hesitant” to share threat intelligence with members of other industries. 63% of respondents would participate in reciprocal threat sharing. The problem, according to the study, lies in companies’ “misunderstanding” of the information appropriate to share. “When an organization begins to implement a [cyber-threat intelligence] sharing effort, it runs afoul of policies that dictate that no confidential data or [personally identifying information] can leave the organization. This is, of course, generally a good policy but the lack of understanding of the content being shared becomes self-defeating in this case.” [FedScoop]

US – OMB Study: 77,000 Cyber Incidents Hit Government in 2015

An Office of Management and Budget annual performance review found that 77,000 “cyber incidents” befell the U.S. government in 2015, a 10% increase from 2014. The study defines these incidents as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices,” and names the government’s increased ability to identify data breaches and employee security gaffes as partly responsible for the larger total, the report states. Regardless, “malicious actors continue to gain unauthorized access to, and compromise, federal networks, information systems, and data,” the study said. [Reuters]


US – NYCLU Says Cities Free Wifi Building ‘Massive Database’

When New York started replacing its pay phones with wifi kiosks in January, the new free internet access was met with a great deal of excitement, particularly over the network’s speed. The beta launch included just a dozen wifi hubs, but the city plans to convert 7,500 phone booths over the next few years so that free wifi is as ubiquitous as the yellow taxi in New York. But now, concerns about privacy are beginning to emerge. The New York Civil Liberties Union (NYCLU) accused the city of using its new public wifi system, LinkNYC, to “build a massive database,” complaining that the company behind the program, CityBridge, can keep a vast amount of information about wifi users, per its privacy policy. “In order to register for LinkNYC, users must submit their e-mail addresses and agree to allow CityBridge to collect information about what websites they visit on their devices, where and how long they linger on certain information on a webpage, and what links they click on. CityBridge’s privacy policy only offers to make “reasonable efforts” to clear out this massive amount of personally identifiable user information, and even then, only if there have been 12 months of user inactivity. New Yorkers who use LinkNYC regularly will have their personally identifiable information stored for a lifetime and beyond.” The group sent a letter to Mayor Bill de Blasio’s office enumerating their concerns about the vagueness of the privacy policy. The letter lists three main concerns: how long user data will be retained, unclear language about government requests for user data, and whether the “environmental sensors and cameras” that sit on the new wifi hubs will feed into the Domain Awareness System, a city-wide police surveillance network. As of late 2013, 57 cities had municipal wireless systems of some sort, a number that has and will continue to grow.  [Fusion]

Telecom / TV

US – FTC: We’ll Be Watching for TV Habit-Tracking Apps

The FTC is advising mobile app developers that it has its eye on technology that could allow phones to monitor TV viewing habits and relay that to targeted third-party advertisers. In a blog post this week, the FTC pointed out it was sending letters—from the associated director of the Privacy and Identity Protection division—to app developers whose apps use software created by Silverpush that runs in the background and enables phones to “listen” for embedded audio signals in TV programs to determine what TV shows or ads are playing (sort of like a Shazam for TV content), even when the app is not being actively used. The app “could” create a log of such TV content. [Source] [FTC Raps Android Developers For Using SilverPush Software]

Workplace Privacy

US – Study: Employees Deserve Privacy Laws

In a forthcoming California Law Review paper titled “Limitless Worker Surveillance,” the authors argue that the government should establish employee surveillance protection laws that would balance an employer’s right to efficiency and a worker’s right to privacy in an increasingly connected world. “While employers have a reasonable interest in ensuring the productivity of their workers and in dissuading misconduct in the workplace, that interest does not outweigh the human right to privacy and personal liberty in domains that have been traditionally considered as separate from work and the workplace,” the research states. They dub their proposed law the “Employee Privacy Protection Act,” and maintain that the same legal protections should be extended to health care workers, as well. [Information Week]



08-18 March 2016


CA – Researchers Considering Iris Biometrics to Help Homeless Get Healthcare

A Canadian research project is looking at the use of iris recognition to help homeless people get around the problem of accessing healthcare without proper identification. The iris recognition project will begin later this month with researchers asking those at select temporary shelters whether they’d be comfortable having their iris image captured to be used as a form of ID. An algorithm developed by engineering students at Western University will turn those images into a number that will become the test subjects’ unique ID numbers. Ontario NDP member of provincial parliament Peggy Sattler said, “This (project) is not intended to stigmatize homeless people. It will shed light on how this could work and it can help homeless people have access to health care.” In fact, the technology could also be expanded for all Ontarians, Sattler said. “There are 100,000 more OHIP (Ontario Health Insurance Program) numbers than there are Ontarians.” “Eventually, you could get an iris scan at your doctor’s office and it would go into some kind of database, and every time you access health care, you don’t need a card.” Details about the storage and protection of the biometric data have yet to be worked out. [London Free Press]

Big Data

WW – Twitter, Dove Using Data to Raise Body-Shaming Awareness

Dove unveiled the newest development in its #SpeakBeautiful campaign last week, a tool developed with Twitter that tracks a user’s body-centric buzzwords on the site. The tool issues a link to a user’s own “custom microsite” after they retweet Dove’s official content. The microsite then shows users their own Twitter data, comparing how their “negative tweets stack up to other women.”“ [AdWeek]


CA – OPC Outlines Recommendations for Modernizing the Privacy Act

The Privacy Commissioner of Canada welcomes a Parliamentary committee review of the Privacy Act and has unveiled his priorities for modernizing the law governing how the federal government handles personal information, which has remained largely unchanged since it was proclaimed in 1983. The OPC recommended changes under three broad themes: Responding to technological change, legislative modernization and the need for transparency. The Privacy Act should be amended to

  • Require that all information sharing be governed by very explicit written agreements;
  • Create an explicit requirement for institutions to safeguard personal information, as well as a legal requirement to report breaches to the OPC;
  • Broaden the grounds to seek a Federal Court review to include all contraventions of the Privacy Act, not just denials of access to personal information;
  • Require government departments to consult the OPC on bills that impact privacy before they are tabled in Parliament;
  • Allow the OPC to report in a more timely and proactive manner on the privacy practices of federal institutions, beyond annual and special reports to Parliament; and
  • Extend the application of the Privacy Act to all government institutions, including Ministers’ Offices and the Prime Minister’s Office.

Commissioner Therrien also urged Parliament to consider regulating the collection, use and disclosure of personal information by political parties, but noted the Privacy Act is probably not the best instrument to do this. [Commissioner Therrien’s full statement]

CA – Alberta Privacy Commissioner Aims to Bring Non-Profits Under Provincial Privacy Legislation

The AB OIPC has recommended to the standing committee on Alberta’s economic future that nonprofits should comply with privacy legislation. The Calgary Sun reports that more than 20,000 nonprofits have been exempted from complying with privacy legislation. Privacy Commissioner Jill Clayton wants to eliminate this exemption as her office was only able to address 9% of the privacy complaints it received regarding nonprofits last year. [Calgary Sun]

CA – Nova Scotians Not Keen on Tech Saving Them Money on Car Insurance

Several insurance companies in Nova Scotia are offering a program that allows people to save up to 25% on their car insurance, but few people are opting to take part, according to OTC insurance and the Insurance Bureau of Canada. In order to apply for the discount, people have to volunteer to install what’s known as a telematics device in their car. The small device is installed under a car’s steering wheel and records an individual’s driving habits for six months. The device records things like driving distances, the time of day the car is driven, and sudden acceleration or braking. At the end of the six months the device is turned over to the insurance company and it uses the data to determine if the user should get a discount on their insurance. “We’ve been advertising quite heavily on the radio and seems like people are very leery about having this device in their vehicle for the insurance companies to look at.” David Fraser, a privacy lawyer, has mixed feelings about telematics. “Once this information is generated, it exists and it can be used for other purposes. It can be subpoenaed in connection for with a lawsuit, the police could get a search warrant and it just adds to the amount of digital debris that we leave behind in the run of the day.” He also questions how accurate the information will be and how it will be interpreted. [CBC News]

CA – BC Law gives Coroners Wide Power to Protect Privacy of the Dead

The BC Coroners Service has refused to release the medical records of a murder victim asserting the deceased still has privacy rights. There aren’t any Freedom of Information and Protection of Privacy Act provisions that compel “public bodies … to disclose certain types of information,” said Michelle Mitchell, communications officer for the Office of the Information and Privacy Commissioner for British Columbia. “Therefore, it is not within the commissioner’s powers to require a public body to include specific kinds of information in a report,” she added. [Vancouver Sun]

CA – Trudeau Agrees to Hand Over Even More Data About Travelers to the US

Justin Trudeau’s pilgrimage to Washington has produced one clear result. Canada’s new Liberal government says it will push through a long-delayed plan to share with Washington biographic and other information on Canadian citizens travelling overland to the U.S. The Americans, in turn, will reciprocate. [Source] [US Travel cheers expansion of Border Preclearance Program in Canada] The announcement came as a sidenote to the climate change strategy announced by the two leaders, with fanfare, in DC on last week. “The government of Canada has assured the U.S. it will complete the last phase of a coordinated entry and exit information system so the record of land and air entries into one country establishes an exit record from the other,” the statement from the two leaders reads. Obama framed the deal around stemming the flow of foreign fighters between the two countries — even though evidence for that supposed trend appears to be non-existent — but the effects of the deal could impact the privacy rights of all cross-border shoppers, tourists, and anyone else who crosses the world’s largest land border. The entry/exit deal dates back to the 2011 ‘Beyond the Border’ plan to boost security and reduce trade restrictions between the two countries. The 2011 plan commits the two countries to “establish coordinated entry and exit systems at the common land border” and “exchange biographical information on the entry of travelers, including citizens, permanent residents, and third country nationals” whenever they cross one country into the other. But that part of the plan never came into force, at least not as envisioned. Canada began sharing information with its American counterparts on all third-country nationals — border-crossers who were neither American nor Canadian — but never began doing so for its own citizens, even though it committed to start in June 2014. [Source] [Op-Ed: Canada to share information with U.S. on land border crossers] [Canada, U.S. to share more passenger information ] [Trudeau quietly agrees to share info on Canadians with U.S.]

CA – CSIS Head Says New Powers to Disrupt Plots Used Almost 2 Dozen Times

The head of Canada’s spy agency told a Senate committee that his agency has used its extraordinary powers to disrupt extremist plots close to two dozen times since the fall of 2015. Michel Coulombe, director of CSIS, made the admission to the national security and defence committee, revealing for the first time how frequently this power was used. Canada’s spy agency was granted the power to disrupt suspected plots rather than just relay information about those plots to the federal government and the RCMP when Bill C-51 became law this past summer. [CBC] [CSIS hasn’t crossed line with controversial new powers under Bill C-51, director tells Senate committee]

CA – Toronto Fire/Paramedic Services to Post Emergency Call Data Online

City councillors are getting ready to make vital information about fires and medical emergencies available to the public. A council committee approved two motions this week to have the fire and paramedic services make data from their LiveCAD system — which tracks calls for help in real time — open for the public to see and download. Both were instructed to work with the city’s legal department to make the information available without compromising the privacy of Torontonians. One solution proposed to the committee, for example, was releasing the nearest major intersection to each incident rather than the specific address. [Source]

CA – Regina Police Posting Photos of Potential Witnesses, Suspects and Victims

Can you identify this individual? That question is written under photos of various people, usually appearing in security camera footage, posted on the Regina Police Service’s website. Most of the pictures are of men and women entering stores, walking down aisles or buying something at a cash register. A form underneath the photos allows someone to leave a confidential tip. In some photos, police have put more information about why they are seeking someone, usually because they are a suspect in a crime. But in others, no information about why police want to talk to the individual is provided. The practice began shortly after police started posting photos of individuals wanted on outstanding warrants to its website in February. When explaining the “Can You Identify” page, a separate section of the website, police stress the individuals appearing there are not necessarily suspects in a crime. Once the individual has made contact with police, their photo is taken off of the website. Walter said police have had success with the initiative, and some of the individuals have turned out to be suspects. Before beginning the practice, the RPS consulted its legal counsel through the City of Regina. The approval was given on the basis that a person in a public space does not have the expectation of privacy, and their image is not considered personal information. What police are doing is legal, but it still doesn’t sit well with the Canadian Civil Liberties Association. “It’s not clear what they were suspected of doing, or why the police are seeking them. And once the police locate them, it may turn out that these individuals are innocent. However, other members of the community could assume that someone being sought by the police is guilty of some kind of wrongdoing, and this stigma is particularly troubling given how long images can stay on the Internet,” said Berger. [Leader-Post]

CA – Federal Government Launches Consultations on Breach Notification

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed to PIPEDA pursuant to the Digital Privacy Act (Bill S-4). The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations. The discussion paper not only solicits comments, it identifies issues that may arise in respect of certain regulatory approaches. Following this consultation process, the Canadian Government will publish draft regulations for public comment and further consultation. It is unlikely that we would see breach reporting come into force in Canada before the last quarter of the year. [Source] [Industry Canada] [Discussion document] [Source]


WW – How Canadians Feel About Data and Privacy (Survey)

Concern about data privacy and security is down among consumers across the globe, but companies still have a long way to go to earn their trust, according to a new study from SAS. The analytics company conducted an online survey of more than 4,300 adults in 15 countries, including Canada. Globally, 63% of respondents said recent events like hacks and data breaches of government agencies and financial websites have heightened their concerns around sharing personal information, down from 69% in SAS’s 2014 survey. In Canada, 64% of consumers report concern about what businesses do with their personal data; 24% of respondents feel they have no control at all over what businesses do with their information, and only 13% believe they have total control. [Mobility, Vulnerability and the State of Data Privacy] [Marketing Magazine]

US – Time, Mansueto Ventures Sued for Alleged Data-Selling Practices

The ability to sell subscriber information to third parties is at the center of two separate lawsuits. Plaintiffs maintain that both Time Inc., the company behind magazines People and Sports Illustrated, and Mansueto Ventures’ data usage violated their respective states’ privacy legislation. “Unfortunately for its subscribers, Time supplements its sales and advertising revenue by secretly selling their statutorily protected information — including their full names, titles of magazines subscribed to and home addresses (collectively ‘Personal Reading Information’) — to data miners and other unrelated third party companies,” one suit reads. [NY Post]

US – Don’t Post About Me on Social Media, Say Children

Recently, university researchers asked children and parents to describe the rules they thought families should follow related to technology. In most cases, parents and children agreed — don’t text and drive; don’t be online when someone wants to talk to you. But there was one surprising rule that the children wanted that their parents mentioned far less often: Don’t post anything about me on social media without asking me. [New York Times]


CA – Canada: Federal Government Lagging on Online Services, Documents Warn

The federal government is lagging behind both private sector offerings and Canadians’ expectations in online services, internal documents warn. A full 77% of federal services still cannot be completed over the Internet. Services like passport applications, requesting access to government information, or obtaining proof of citizenship all require in-person treks to Service Canada locations or mailed application forms. A minority of services, like filing taxes or updating pension information, can be done online through government websites. In addition to raised expectations, the documents note that it takes a long time for the sprawling federal bureaucracy to implement changes in how it delivers services. [Source]

US – California Judge Reverses Court Order on Student Information Release

A federal judge tweaked her initial court order for the release of sensitive student data to a statewide parent group of special education advocates March 1, as a result of a “large number of objections” from parents who mailed in opt-out forms to the U.S. District Court in Sacramento. [The ruling] In her March 1 order, U.S. District Court Judge Kimberly Mueller noted the large number of objections to the potential release of student data received by the court following the posting of the “Notice of Disclosure of Student Records” on Feb. 1. In response, the court ordered that the CDE maintain custody of the most sensitive of its databases—the California Longitudinal Pupil Achievement Data System (CALPADS)—while running searches for information requested by the plaintiffs. The court also reiterated that no student’s personally identifiable information may be released to the plaintiffs unless and until they demonstrate to the satisfaction of the court that the method to be used to store the sensitive student data is secure, the CDE noted. The parties are still litigating the extent of the disclosure of student data. [Morgan Hill Times] See also: [Special ed court case causes stir] [Teachers union supports opt-out option]


CA – Claim that Minister Doesn’t Use Email Adds Questions About B.C. Libs Compliance With FOI Laws

The B.C. finance minister has joined a growing list of senior provincial government officials who either claim they do not use email or who have been caught routinely deleting their emails. The practice has gained prominence following freedom-of-information requests by the media and a damning report by the OIPC BC, which rebuked the Liberal government for failing to adequately create and maintain records. It also singled out specific staff for routinely “triple deleting” emails as a means of permanently destroying records. BC Premier Christy Clark responded with a public statement. “The practice of ‘triple-deleting’ will be prohibited, ministers and political staff will continue to retain sent emails and a new policy and specific training will be developed,” she said in a December 16 media release. Clark also said the government would “study and consider the establishment of duty to document”. According to his press secretary, “(Finance) Minister de Jong has the longstanding practice of requiring information such as briefing notes, decision notes, memos and other correspondence to be delivered to him through his office on paper, rather than to an email account,” it reads. “His choice not to receive information or hold conversations by email is a matter of personal preference as a way to manage and prioritize the volume of information his portfolio already entails,” the statement continues. De Jong’s aversion to the world’s most common form of interoffice communication puts him in good company among Liberal government senior staffers. On December 16, the Straight reported that the premier herself had essentially stopped using email. [Vancouver free press] [Finance Minister Mike de Jong doesn’t do email, says premier — and that’s OK with her] See also: [FOI response suggests B.C. Premier Christy Clark has basically stopped sending emails] and [NDP cites evidence of emails deleted from top government accounts, including premier’s]

CA – Former BC Staffer Charged in E-Mail Deletion Probe

A former B.C. government employee who allegedly deleted e-mails involving the Highway of Tears has been charged with two counts of willfully making false statements to mislead, or attempt to mislead, the province’s information and privacy commissioner. The B.C. Criminal Justice Branch announced the charges Friday – approximately 4 1/2 months after Commissioner Elizabeth Denham released a scathing report that said Premier Christy Clark’s government routinely thwarted freedom-of-information requests through tactics such as triple-deleting e-mails. The charges were laid under FIPPA. Mr. Gretes faces a maximum fine of $5,000 a count. [The Globe and Mail]

Electronic Records

AU – Updated eHealth Record System Still Sparks Criticism

The Australian government’s revised eHealth program, now dubbed “My Health Record,” still faces the criticism of privacy advocates. While this newer iteration of the Personally Controlled Electronic Health Record permits an opt-out function, critics like the Australian Privacy Foundation argue that the program lacked specific instructions for doing so. “There are many people who should be very careful about letting the government put lots of identifying information into a central database,” the APF said in a statement. [Computerworld] [Opt-out e-Health a ‘Fundamental Breach of Trust’: Victorian Regulator]


UK – ICO Issues Guidance on Use of Encryption

The U.K.’s Information Commissioner’s Office has released a new set of encryption guidelines, urging companies to embrace the practice before it’s too late. Although encryption practices are relatively simple, companies “often have no idea whether their data is encrypted or not,” the report states. The ICO said in a blog post that while choosing to forgo encryption isn’t illegal, “the ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data,” resulting in a high number of fines and the loss of many a company’s reputation. [ZDNet] See also: [U.K.’s Investigatory Powers Bill would mean even small startups would be required to create backdoors to their systems] and [France Clears Bill That Could Force Apple to Unlock Terror Data] [A bill under consideration in France would impose powerful new penalties for companies that do not provide access to encrypted communications in terrorism-related investigations]

UK – Snooper’s Charter Would Require Even Startups to Build in Backdoors

Should the U.K.’s Investigatory Powers Bill pass through Parliament, even small startups would be required to “bake insecurities into their systems in order to be able to hack users on demand.” And, while Apple has been able to make public the fact that the FBI wants backdoor access in the U.S., the U.K. bill would require companies to keep quiet about law enforcement requests. “They built in systems that would force companies who have more than 10,000 users — which for a startup 10 years ago used to be a hard thing, now you can quite quickly collect 10,000 users no problem — so it’s a very low threshold,” said Privacy International’s Eric King. [TechCrunch]

US – EFF on Why FBI Can’t Force Apple to Sign Code

Code is speech: critical court rulings from the early history of the Electronic Frontier Foundation held that code was a form of expressive speech, protected by the First Amendment. The EFF has just submitted an amicus brief in support of Apple in its fight against the FBI, representing 46 “technologists, researchers and cryptographers,” laying out the case that the First Amendment means that Apple can’t be forced to utter speech to the government’s command, and they especially can’t be forced to sign and endorse that speech. In a “deep dive” post, EFF’s Andrew Crocker and Jamie Williams take you through the argument, step by step. [Source]

US – Encrypted WhatsApp Messages Frustrate New Court-Ordered Wiretap

The US Department of Justice has opened another legal front in the ongoing war over easy-to-use strong encryption. Prosecutors have gone head-to-head with WhatsApp, the messaging app owned by Facebook. Citing anonymous sources, the Times reported that “as recently as this past week,” federal officials have been “discussing how to proceed in a continuing criminal investigation in which a federal judge had approved a wiretap, but investigators were stymied by WhatsApp’s encryption.” The case, which apparently does not involve terrorism, remains under seal. [The New York Times]

WW – Google Adds Worldwide HTTPS Info to Transparency Report

Google has launched a transparency report specifically to track the progress of the Internet’s encryption efforts. The aim is in support of the general push to have encryption available everywhere. Even within the Google universe HTTPS is far short of 100% of traffic. Excluding YouTube traffic, but with Gmail, Drive, Search and increasingly Blogger and advertising traffic over HTTPs, only 75% of what’s served from Google domains is currently encrypted. Google will be updating that reporting each week, the company says. The second plank of the strategy is looking at Certificate Transparency: a public search interface letting users check that a certificate is valid and is being used correctly. [The Register]

EU Developments

EU – MEPs Vote Against Passenger Name Record Vote

Members of the European Parliament voted 7 March against placing the Passenger Name Record on the plenary session agenda, citing privacy objections. “It is true that the Council has never been particularly helpful on the legislative package related to data protection,” said French Socialist Delegation President Pervenche Berès. “But the fact that PNR has still not been adopted in March 2016, after it was promised for December last year, does not give a very good impression of the EU.” MEPs rejected placing PNR on the agenda for “fear a vote on PNR may allow member states to abandon the personal data protection package they have promised as a counterweight to the new surveillance powers.” [EurActiv] See also:

[some analysts are predicting the EU-U.S. Privacy Shield will not stand up to judicial scrutiny in Europe]

EU – EDPS Releases Case Law Overview

The European data protection supervisor has released a working document covering relevant privacy and data protection case law in the EU between Dec. 1, 2014 and Dec. 31, 2015. The case law pertains to the Court of Justice of the EU, European Court of Human Rights, and national courts of member states “on the right to the protection of personal data, the right to protection of private life, access to documents, and the right to freedom of expression,” the EDPS working document states. The overview also includes pending cases and is “intended to provide factual summaries of case law.” [Source]

Facts & Stats

US – Verizon Issues Data Breach Digest Report

Verizon has released a Data Breach Digest Report, a set of 18 case studies that comprise common scenarios that the majority of breaches fall into. The incidents include a water utility at which intruders managed to manipulate water treatment processes and flow; a developer who outsourced his work to China; and pirates (the seafaring variety) who used information stolen from a shipping company’s computers to target specific containers on vessels they boarded. [eWeek] [DarkReading] [Ars Technica] [CSO Online]

US – Businesses Reluctant to Report Attacks: Report

According to a report, Cyber Security: “Underpinning the Digital Economy,” from the Institute of Directors and Barclays bank, many organizations do not report cyberattacks to law enforcement. Just 28% of cyberattacks are reported. The report also found that while most business leaders believe cybersecurity is important, just half have established plans to protect themselves from attacks. [ZDNet]

CA – 53% Have Been ID Theft or Fraud Victims: Equifax Survey

More than half of Canadians (53%) say they have been a victim of financial fraud according to an Equifax Canada survey. Additionally, new data suggests that millennials (Generation Y) are increasingly the ideal target for fraudsters and organized crime syndicates. Throughout Fraud Prevention Month in March, Equifax Canada will work with the Canadian Anti-Fraud Centre (CAFC) to educate consumers, especially millennials about the impact of fraud and how to protect themselves. The CAFC estimates that mass marketing fraud losses to businesses and citizens has grown to greater than $10 billion annually, and it’s believed that almost 80% of all fraud is committed by organized crime groups. [Source]


US – FTC Wants Details on Credit Card Audit Practices

The FTC has issued orders to nine companies to share their Payment Card Industry Data Security Standards auditing practices, the agency said in a statement. The FTC aims to measure “the state of PCI DSS assessments,” the report states. The agency further hopes to gauge “the ways assessors and companies they assess interact” and to glean “information on additional services provided by the companies, including forensic audits.” [FTC]


CA – OIPC BC Orders Disclosure of 3rd Party Pricing Info Withheld by Public Body

The BC OIPC reviewed a decision by the Capital Regional District to withhold records requested pursuant to FIPPA. Disclosure of the information would not significantly harm the competitive position of the third party; the information does not directly state hourly rates, is not sufficiently detailed to reveal the hourly rates of individual personnel, and is dated information from 2009 and of limited use to competitors. [Order F16-05 – Capital Regional District]

CA – OIPC BC Orders Elections Body to Disclose Administrative Records

This OIPC order reviewed Elections BC’s refusal to disclose records requested under BC FIPPA. The administrative records are subject to FOI legislation and must be disclosed (e.g. job descriptions and a delegation matrix indicating who the Chief Electoral Officer has chosen to assist with his various functions); operational records do not fall under the legislation and may be withheld (e.g. an event plan that relates to the CEO’s planning of electoral processes, and memorandums of understanding related to the exercise of the CEO’s powers in relation to the prosecution of electoral offences). [Order F16-07 – Elections BC]

CA – OIPC SK Partially Upholds the Decision to Withhold Certain Records

The Saskatchewan OIPC reviews the decision of the Saskatchewan Arts Board’s to withhold records requested pursuant to The Freedom of Information and Protection of Privacy Act. The Board withheld records containing third party information which qualifies as advice, proposals, recommendations, analyses or policy options (such as, the analysis of and recommendations for issues faced by the Board, reports prepared for the Board which included advice and recommendations) that would be part of the Board’s responsibility and were prepared for the purpose of taking action or making a decision. [Review Report 154-2015 – Saskatchewan Arts Board]

Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows

An Advisen study, commissioned by ID Experts, found that the cost of the average data breach is less than most cyber insurance policies’ deductibles. “Most data breaches are small — consisting of fewer than 500 records lost,” the report states. “But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000.” As a result, more than 70% of those surveyed employ internal resources to clean up these smaller incidents. “There’s a lot of misconceptions around cybersecurity insurance — what it does, what it could do. It’s not for everyday occurrences.” [DarkReading]

CA – Commercial Liability Policies Likely Do Not Protect Companies from Data Breach Costs

A law firms examines why Commercial General Liability (CGL) policies may not protect companies in the event of a breach. The standard CGL policy usually requires “compensatory damages” to have been incurred, but the tort of breach of privacy does not require proof of damages; breach notification often requires legal assistance, which is not covered. U.S. case law suggests that CGL coverage for privacy-invasive “publication” does not apply to publication by third parties (e.g. hackers). [Breach: How New Types of Privacy Claims are Changing the Litigation Landscape – Daniel Reid, Associate, Harper Grey, Insurance Brokers Association of BC]


UK – Police Hold DNA Profiles of 7,800 Terrorism Suspects

A police counter-terrorism database contains the DNA profiles and fingerprints of more than 7,800 identified individuals, an official government watchdog has revealed. The figure revealed by the biometrics commissioner, Alastair MacGregor QC, in his annual report last week, is far higher than any previous indications of the number of suspected terrorists in Britain. The commissioner reveals that the number of individuals whose DNA profiles and fingerprints are being logged on the little-known database as a result of counter-terrorism investigations is growing rapidly, having risen from 6,500 identified individuals in October 2013. The watchdog also reports that errors and delays in an official drive to delete the biometric records of those who have never been convicted of an offence – which account for 55% or 4,350 of those on the counter-terrorism database – have led to the destruction of a significant number of biometric records of terrorism suspects that should have been kept on national security grounds. In his second annual report, MacGregor says 1.7m DNA profiles and 1.6m sets of fingerprints have been deleted from the police national DNA database since the home secretary, Theresa May, introduced legislation in 2012 requiring the removal of details of those who have never been convicted of a criminal offence. He says the fact that the national DNA database still holds the biometric details of 12.5% of all men and 3% of all women in Britain and has not had any “demonstrably adverse impact” on its effectiveness; indeed, if anything, its overall “match” rate with DNA evidence found at crime scenes has gone up. But the commissioner raises serious concerns about the standalone national counter-terrorism police database. It has been quietly built up under powers in the Terrorism Act 2000 by collating DNA profiles and fingerprints gathered from searches, arrests and crime scenes during counter-terrorism investigations. MacGregor says he decided to publish the number of individuals on the counter-terrorism database after it was suggested to him in 2014 that to do so would be contrary to the interests of national security. He says he was “not wholly persuaded” by the argument and this year he sought and obtained agreement to disclose the number. [The Guardian]

Health / Medical

CA – Ont. Court Docs in Assisted Death Cannot Be Named by Press

An Ontario judge agreed to ban media from reporting the names of doctors for a Toronto man seeking assisted death, arguing that anonymity is needed to ensure health workers keep helping out in such cases. The ruling by Justice Thomas McEwen of the Ontario Superior Court also prohibits identifying the cancer patient and his family, citing the “intensely private and personal matter of his death.” A lawyer representing the National Post and other news media had objected to the scope of the ban requested by the 80-year-old man, saying it was important to make public the physicians’ names, partly to help identify any doctors who might “rubber-stamp” assisted-death requests. But the physicians and other health workers had asked to remain anonymous and they were justified in doing so, said Justice McEwen. “Their wish and concerns are entirely reasonable, in my opinion, given the publicity and controversy surrounding physician-assisted death,” said his 10-page decision. “This is a public interest of great importance … There may be a serious risk (with naming names) of impairing access to physicians willing to assist.” The judge also ruled the patient’s lawyer could edit out the required information from the court file before making it available to the media or their lawyers. [Source]

US – Study: Health Apps Pose Major Privacy Concerns

An Illinois Institute of Technology Chicago-Kent College of Law study of Android mobile apps for diabetes management found privacy practices wanting. “Many health apps transmit sensitive medical information, such as disease status and medication compliance, to third parties, including aggregators and advertising networks,” the report states. More than 80% of the apps had no privacy policies. An undefined legal landscape encourages these behaviors, the researchers argue. “Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case,” they said. [CBS News]

EU – Estonian Citizens to Have World’s Most Hack-Proof Health-Care Records

Estonia is moving its citizens’ health records to a database, based on blockchain technology, that nobody can mess with. While financial institutions rave about the potential for blockchain—the technology that powers bitcoin—as a way to revolutionize the financial world, it can also help keep private data secure. A blockchain is essentially a digital ledger that, thanks to some computational tricks, records every change made to it indelibly. This means it can act as a database for health data. Whenever someone’s health records are accessed, that “event” is recorded on the blockchain, alongside what information was changed or added. That way, the information remains both secure and tamper-proof; nobody can change it without leaving traces. Eventually, there will be a dashboard for the public to see their own health records and any changes made to them. [Estonia using Blockchain to secure health records] [Estonian citizens will soon have the world’s most hack-proof health-care records] [Guardtime secures over a million Estonian healthcare records on the blockchain]

US – Senator Asks Privacy Regulators to Stop Abuse of Nursing Home Residents on Social Media

After a December 2015 ProPublica report documented more than 35 incidents involving employees at assisted living homes sharing photos of residents on social media, U.S. Sen. Tom Carper, D-Del., wrote the Department of Health and Human Services’ Office for Civil Rights asking what it’s doing to curb these instances. Of the photos, which often depict naked, ill residents, Carper said in a statement, “This type of abuse is unacceptable and falls short of our moral obligation to the ‘least of these’ in our society.” The OCR’s Deven McGraw said the office would reply to Carper’s inquiries. [ProPublica] See also: [Newfoundland health worker fired for privacy breach involving 25 patients]

Identity Issues

EU – EMA Published Guidance on De-Identification of Clinical Reports

The European Medicines Agency (EMA) has published guidance on the anonymization of clinical reports according to EMA policy on publication of clinical data for medicinal products for human use (EMA/240810/2013). Under the European Medicines Agency Policy 0070 for medicinal products for human use, manufacturers are required to submit anonymized versions of clinical reports to the agency, as well as a risk analysis report documenting how the risk of re-identification is considered sufficiently small. The specificities of the clinical data should be taken into consideration when selecting the most appropriate anonymisation technique (e.g. masking, randomisation or generalisation); a data controller must continuously follow development in re-identification techniques and, if necessary, reassess the risk of re-identification. These documents will then be made publicly available under two different data sharing mechanisms. Many manufacturers are now trying to figure out how to meet these requirements for their new submissions. [Source] [Webinar by Privacy Analytics – March 31, 2016). [European Medicines Agency – External Guidance on the Implementation of the European Medicines Agency Policy on the Publication of Clinical Data for Medicinal Products for Human Use]

Internet / WWW

UK – New Guide to Help Build Child Safety into Platforms

The U.K. Department for Culture Media & Sport has released a new guide designed to help organizations ingrain online child safety into Web and mobile businesses. The guide, Child Safety Online: A Practical Guide for Providers of Social Media and Interactive Services, uses the six principles of the ICT Coalition for Children Online safety framework, a European industry initiative to make online platforms safer for younger users. The principles include content; parental controls; dealing with abuse/misuse; child abuse or illegal contact; privacy and controls; and education and awareness. [Source]

Law Enforcement

CA – Vancouver Police Investigates Leak About Visiting Photographers

The Vancouver Police Department claims it is still investigating how a local website obtained an internal police bulletin and photographs of three men who were wanted for questioning after they were seen taking photographs at Pacific Centre Mall last January. “As this matter remains under investigation by the Vancouver Police, we are relying on section 15 of the Freedom of Information and Protection of Privacy Act to withhold records related to this issue.” Section 15 of the act consists of a number of provisions that allow government organizations to refuse to release information if doing so would be “harmful to law enforcement”. The Straight filed the requests in question after the local website published photographs that the website later said it had obtained from an internal police bulletin it had received from a member of the VPD. The original post published on January 14 included photographs of the three men wanted for questioning and quoted the VPD internal bulletin describing them as “men who look Middle Eastern”. The following morning, VPD chief Adam Palmer said the force was never planning to go public with a warning about the men. He explained the VPD only responded with information intended for the public after an internal report was leaked to media. The VPD subsequently released a statement that cleared all three men of any wrongdoing. [Source]

US – Use of Stingrays Violates Fourth Amendment: Court

The Maryland Court of Special Appeals upheld a historic decision by a state trial court that the warrantless use of cell-site simulators, or Stingrays, violates the Fourth Amendment. The trial had suppressed evidence obtained by the warrantless use of a Stingray – the first time any court in the nation had done so. Last April, a Baltimore police detective testified that the department has used Stingrays 4,300 times since 2007, usually without notifying judges or defendants. Stingrays mimic cellphone towers, tricking nearby phones into connecting and revealing users’ locations. Stingrays sweep up data on every phone nearby — collecting information on dozens or potentially hundreds of people. The ruling has the potential to set a strong precedent about warrantless location tracking. [Slashdot]

CA – Surveillance Device Used In Prison Sets Off Police Probe

Federal prison authorities are under criminal investigation for possible illegal surveillance. The probe centres on Correctional Service Canada’s use of a dragnet surveillance device inside a penitentiary. Fallout from the 2015 surveillance incident, involving a device that CSC officials called a “cellular grabber,” has led to a lawsuit from jail guards and a criminal inquiry by the Ontario Provincial Police. [Source]

CA – RCMP Fight to Keep Lid on High-Tech Investigation Tool

Police in Canada are fighting to keep secret the specifics of advanced technology they’ve used to spy on mobile phones in a criminal investigation into organized crime. Court documents filed in the Quebec Court of Appeal show government lawyers have acknowledged that the RCMP used an extraordinary communications-interception technique involving “mobile device identifier” equipment. But the Crown will be fighting to keep details of the operation under wraps during a court hearing scheduled for March 30 in Montreal. Chris Parsons, a researcher with the Citizen Lab at the University of Toronto’s Munk School, said this case “wouldn’t be the first time [these devices] have been used – but it would be the first time [authorities] have been caught out in court.” The public is bound to want to know more, Mr. Parsons said. “These are fundamentally devices of mass surveillance,” he said. [Source]

AU – Fears Policing Databases Will Be Exempt from Privacy Laws

National policing databases for firearms, domestic violence and child offenders will no longer be overseen by Australia’s privacy watchdog and could be exempt entirely from privacy laws if they are handed over to the Australian Crime Commission under proposed laws. The information commissioner, Timothy Pilgrim, has warned in a Senate inquiry submission that if a proposed bill to merge Crimtrac’s functions into the Australian Crime Commission is passed the data held by CrimTrac will no longer be subject to Australia’s privacy laws. The federal government has put forward bills that would see the secretive Australian Crime Commission, which has the power to conduct coercive interviews, essentially take over the functions of CrimTrac and other agencies. CrimTrac is the national policing organisation that holds major databases surrounding firearms, domestic violence, child offenders and missing persons. It also assists in the collection of biometric data for the immigration department. As a result it holds large quantities of personal information on millions of Australians. The agency will continue to be overseen by the commonwealth ombudsman and the Australian Commission for Law Enforcement and Integrity. But Pilgrim said the “scope of that oversight differs” from the specific privacy related oversight of the Office of the Australian Information Commissioner. [The Guardian]


UK – Unmasking Banksy: Did ‘Predictive Policing’ Tool Catch An Artist?

A geographic profiling tool, developed to find serial criminals and terrorists, may have helped unmask the mystery identity of Banksy. Researchers say they have identified the elusive artist – creator of million-dollar works of political graffiti – as Robin Gunningham, supporting a theory published by Daily Mail in 2008. Scientists at Queen Mary University of London used a statistical tool to map 140 locations of Banksy’s works around Bristol and London and compare them to the homes of possible candidates, they wrote in the Journal of Spatial Science. That led them to Mr. Gunningham. This mathematical method of analysis, known as criminal and geographic profiling, is often used by law enforcement to identify serial criminals. The idea behind the technique is that people tend to commit crimes close to where they live. The technique has also been used to trace breeding sites for malaria outbreaks or to locate the roosts of wild bats, and the researchers suggested that what helped find one graffiti artist could also help locate terrorists. “More broadly, these results support previous suggestions that analysis of minor terrorism-related acts (e.g., graffiti) could be used to help locate terrorist bases before more serious incidents occur,” they wrote in their abstract. Not everyone accepts that geographical profiling can accurately pinpoint perpetrators, though it’s used by several US police departments. Data-fueled analytics also called “predictive policing,” has drawn considerable critics, arguing that the method is discriminatory and often targets minorities. “What data are they using? How are they weighing variables? What values and biases are coded into them? writes the Guardian. “Even the companies that develop them can’t answer all those questions, and what they do know can’t be divulged because of trade secrets.” “Police departments are opening the way for corporations to have disproportionate influence over what policing means in society. Technologies are not just neutral tools, and they are not divorced from politics; they are designed with certain values and goals in mind.” [Source] See also: [The Crime You Have Not Yet Committed]

Online Privacy

WW – Researchers Translate Privacy Policies into Layman’s Terms

A team of Stanford University, Carnegie Mellon University and Fordham University researchers — during a two-year span — simplified more than 20,000 privacy policies from nearly 200 websites into a more approachable and user-friendly form for their Usable Privacy Project . “Our objective is to produce succinct yet informative summaries that can be included in browser plug-ins or interactively conveyed to users by privacy assistants that inform users about salient privacy practices,” said Carnegie Mellon’s “principal investigator.” [SC Magazine]

WW – Google Agrees to Delist Links More Broadly For RTBF Compliance

Google will begin delisting links more broadly in order to better align with data protection authorities’ interpretation of the EU’s right-to-be forgotten mandate. Previously, the company said it wasn’t responsible for delisting links from and other non-EU search domains. Now, it will use geolocation data to “restrict access to delisted URLs on all Google search domains accessible from the country of the person making the delisting request,” the report states. Google Global Privacy Counsel Peter Fleischer said that, since the European Court’s ruling, the company has worked hard to find the right implementation balance. “Despite occasional disagreements, we’ve maintained a collaborative dialogue with data protection authorities throughout. We’re committed to continuing to work in this way,” he said. According to Fleischer, Google will apply its new policy retrospectively to all search results it has already delisted following RTBF requests. Google’s Transparency Report shows that the company so far has evaluated more than 1.4 million URLs for removal in response to nearly 399,000 RTBF requests. It has delisted about 43% of the links so far while leaving the remaining 57% in place. [eWEEK]

CA – Controversial Calgary-based App Peeple Launches

Curious about your kid’s soccer coach? Wondering what others think of that guy who asked you out? There’s an app for that. Sort of. The Calgary-conceived app Peeple, announced to a firestorm of controversy late last year, is finally launching Monday after retooling a number of features. Peeple will let users rate each other in three areas: personal, professional, and romantic. In a change from the original concept, reviews are only posted with the consent of the person being reviewed — that is, the service is opt-in and a user can hide their negative reviews. But a planned future paid subscription Cordray called the “truth license” — not available for Monday’s launch — will let users see all reviews, even hidden ones. [Calgary Herald] See also: [Fortney: Peeple app creator stands firm, in a bathroom] [and [‘You can’t possibly be that naive’: Dr. Phil delivers a folksy smackdown on Peeple app co-founder]

UK – ‘HAT’ trick: Service Allows Users to See and Trade Their Data

The Hub of all Things is a new service designed by U.K. researchers and aims to be the one-stop-shop for Internet users wanting to control who accesses their data and for how long. It’s a virtual personal data “store,” which allows users to see the data corporations store about them, then trade it, thus reaping the benefit of its value. Designers have launched an Indiegogo campaign to “mobilize a social movement to put the power of the Internet back into individual hands,” the report states. IOT data has “enormous value,” said HATDEX CEO Paul Tasker. “We believe that if all of us have our own HATs, we will have more power in the future to influence how our data is collected, stored and used; hugely benefitting ourselves and society whilst providing new opportunities to firms wanting to sell to us.” [ZDNet]

Other Jurisdictions

NZ – Privacy Commissioner Overwhelmed As Digital Generation Overshares

During a New South Wales parliamentary oversight committee meeting last week, Australian Privacy Commissioner Elizabeth Coombs argued to an oversight committee last week that expanding her role from part time to full time while increasing her office’s resources are necessary to expand the agency’s influence. “So much sharing of data was increasing the demand for her work,” the report states. It’s now “apparent that the digital generation cares about its privacy,” and as such Coombs “has welcomed the call for a significant expansion of her powers.” [The Sydney Morning Herald]

NZ – NSW Parliamentary Committee Backs New Privacy Laws for Individuals

The New South Wales Parliament’s Standing Committee on Law and Justice has announced its support of new legislation that would provide legal redress for individuals after a privacy breach. The laws would “fill gaps” left by the Commonwealth Privacy Act, as the legislation currently only applies to information and not small businesses or individuals, the report states. “The NSW committee has called on the state government to take a lead in the implementation of individualised privacy rules, in the face of ‘a lack of political will federally’ to put in place uniform national legislation,” the report continued. [iTnews]

NZ – NSW Pawnbrokers Association Criticizes MAC Address Requirement

New state laws require pawnbrokers to collect and store the MAC addresses of any Wi-Fi enabled tools that come through their stores. While police argue it will help track stolen devices, the NSW Pawnbrokers Association believes the requirements have “workability” and privacy problems, the report states. Customers are “averse to giving us that information if they don’t have to because they don’t want us to have access in that privacy sense,” said the association’s spokesman. “Some people don’t care — the computer is just a toy or a novelty item, but for others it’s a serious business tool … and they just don’t want people having unfettered access to that information.” [iTnews]

Privacy (US)

US – Apple Tells Judge that US Gov’t is Well-Meaning but Wrong in Privacy Fight

Apple filed its final court brief in the San Bernardino iPhone case. Apple softened its rhetoric against the Justice Department, which has been heated on both sides of the debate in the last few weeks. The 26-page brief is the last court filing by either side until they meet in court March 22. “The government’s motivations are understandable,” Apple wrote in its latest filing, “but its methods for achieving its objectives are contrary to the rule of law, the democratic process, and the rights of the American people.” According to the report, the Department of Justice said Apple was attempting to usurp power from the federal government, adding, “The Constitution and the laws of the United States do not vest that power in a single corporation.” [the Guardian]

US – Verizon Wireless to Pay $1.35 Million Fine to Settle U.S. Privacy Probe

Verizon will pay a $1.35 million fine and agreed to a three-year consent decree after the FCC said it found the company’s wireless unit violated the privacy of its users. Verizon Wireless agreed to get consumer consent before sending data about “supercookies” from its more than 100 million users, under a settlement. The largest U.S. mobile company inserted unique tracking codes in its users traffic for advertising purposes. Supercookies are unique, undeletable identifiers inserted into web traffic to identify customers in order to deliver targeted ads from Verizon and others. The FCC said Verizon Wireless failed to disclose the practice from late 2012 until 2014, violating a 2010 FCC regulation on Internet transparency. The FCC also said the supercookies overrode consumers privacy practices they had set on web browsers, which led some advocates to call it a “zombie cookie.” Under the agreement, consumers must opt in to allow their information to be shared outside Verizon Wireless, and have the right to “opt out” of sharing information with Verizon. Until March 2015, Verizon Wireless consumers could not opt out of the “supercookies,” but after several U.S. senators raised concerns about the practice, the company agreed to allow an opt-out. [Source]

WW – PWC Releases 2015 Enforcement Guide

PricewaterhouseCoopers has released its Privacy and Security Enforcement Tracker 2015. The second-annual guide aims to reflect on the past year’s most significant regulatory movements in the U.K. and across the globe. “If 2014 sounded an alarm to encourage the controllers and users of networks, computer and communications systems and [personnel] to review and improve their practices for privacy and security, then 2015 was the year when the final alarm was sounded,” the guide states. “The message of 2015 is clear: Entities that fail to take voluntary action to remedy bad practices will be forced to change.” [Source]

US – Erin Andrews Awarded $55M for Privacy Invasion

Sports reporter Erin Andrews was awarded $55 million in an invasion of privacy lawsuit. In 2008, a stalker had surreptitiously recorded the well-known reporter while she was getting dressed in her hotel room, thanks to knowledge supplied by the hotel. Though she had asked for $75 million in the lawsuit, the jury was clearly sending a message, recognizing a very real and lasting privacy harm. [Privacy Perspectives]

US – Drone Regulation Faces Committee Approval

The Senate Committee on Commerce, Science, and Transportation looks to approve legislation that would place drone regulation under the Federal Aviation Administration’s control. “Its key provisions would facilitate specific drone tests with set deadlines for progress reports and ensure that the FAA is involved at every step,” the report states. The bipartisan bill pleases drone industry representatives. “These policies will accelerate the safe use of commercial [unmanned aircraft systems] as well as expand collaborative research and operational efforts,” said the Association of Unmanned Vehicle Systems International’s Brian Wynne. “We urge the Senate to pass this bill quickly, as delaying this measure risks stunting a still-nascent industry and restricting many of the beneficial ways that businesses could use UAS technology.” [Morning Consult] See also: the smattering of state drone laws may conflict in with the drone policies of the Federal Aviation Administration


US – Weak Online Banking Password Policies

An investigation revealed that out of these 17 major banks six of them have a significant weakness in their password policy – they ignore case-sensitivity. In total, this security weakness may impact more than 350 million customers nationally. The researchers attempted to contact the banks to inform them about this issue and tried to ask for a statement why they decided to pursue a weak password policy. It turned out that it is almost impossible to contact and notify them about a security issue. When contacted via telephone hotline, most representatives were only trained for everyday business activities. e.g.:

  • 1 org was adamant that they have a case-sensitive password policy, but testing showed otherwise
  • 1 org was not even aware of the existence of a security / IT-department
  • 1 org simply said that this is their policy without any further statement or explanation [Source]

CA – KPMG Report Identified Five Key Cybersecurity Trends

Increased risks of ransomware and extortion-driven attacks as well as the rise of the Internet of Things (IoT) are challenging Canadian organizations in new ways, according to a recent report from audit, tax and advisory services firm KPMG LLP, who have identified five key cybersecurity trends impacting Canadian businesses in its Cyber Watch Report, released last week. These security risks are putting heightened pressure on organizations to protect, detect and respond to new adversaries and threat tactics, while preserving their trust and reputation with customers. [Daily News]

US – University of California Breach Monitoring System Creates Controversy

After a 2015 cyberattack, University of California President and former Secretary of Homeland Security Janet Napolitano secretly ordered a data monitoring security system installed on all state campuses, a move that, when recently exposed, has started a statewide debate. The system “monitors Internet traffic [and] it also stores it for at least 30 days. The idea is to allow security personnel to go back through the traffic to look for breaches.” Both the monitoring system and the secretiveness surrounding it have sparked ire among students and faculty. “The very substance of higher learning really would not be possible unless the faculty and students have some guarantee of confidentiality,” said the American Association of State Colleges and Universities. [NPR]

WW – Windows 10 Will Add APT Protection

At the RSA conference in San Francisco, Microsoft revealed that it would be adding protection against advanced persistent threats (APTs) to Windows 10. The service, Windows Defender Advanced Threat Protection, detects anomalous system activity. It is currently in private beta on about 500,000 systems. [NextGov] [ArsTechnica]


US – FBI Quietly Changes Privacy Rules for Accessing NSA Data

The FBI has quietly revised its privacy rules for searching data involving Americans’ international communications that was collected by the NSA, US officials have confirmed. The classified revisions were accepted by the secret US court that governs surveillance, during its annual recertification of the agencies’ broad surveillance powers. The new rules affect a set of powers colloquially known as Section 702, the portion of the law that authorizes the NSA’s sweeping “Prism” program to collect internet data. Section 702 falls under the Foreign Intelligence Surveillance Act (FISA), and is a provision set to expire later this year. A government civil liberties watchdog, the Privacy and Civil Liberties Oversight Group (PCLOB), alluded to the change in its recent overview of ongoing surveillance practices. The watchdog confirmed in a 2014 report that the FBI is allowed direct access to the NSA’s massive collections of international emails, texts and phone calls – which often include Americans on one end of the conversation. The activists also expressed concern that the FBI’s “minimization” rules, for removing or limiting sensitive data that could identify Americans, did not reflect the bureau’s easy access to the NSA’s collected international communications. FBI officials can search through the data, using Americans’ identifying information, for what PCLOB called “routine” queries unrelated to national security. The oversight group recommended more safeguards around “the FBI’s use and dissemination of Section 702 data in connection with non-foreign intelligence criminal matters”. As of 2014, the FBI was not even required to make note of when it searched the metadata, which includes the “to” or “from” lines of an email. Nor does it record how many of its data searches involve Americans’ identifying details – a practice that apparently continued through 2015, based on documents released last February. The PCLOB called such searches “substantial”, since the FBI keeps NSA-collected data with the information it acquires through more traditional means, such as individualized warrants. But the PCLOB’s new compliance report, released last month, found that the administration has submitted “revised FBI minimization procedures“ that address at least some of the group’s concerns about “many” FBI agents who use NSA-gathered data. “Changes have been implemented based on PCLOB recommendations, but we cannot comment further due to classification,” said Christopher Allen, a spokesman for the FBI. [The Guardian]

US – Court Approves $9 Million Class Action Settlement to Resolve Allegations of Unauthorized Installation of Tracking Software on Mobile Devices

The Court approved a class action settlement resolving allegations that multiple smartphone and tablet makers installed wiretapping software on their devices. Defendants are the following mobile device manufacturers: HTC; Huawei, LG Electronics, Motorola; Pantech, and Samsung. Net proceeds of the settlement will be awarded equally to class members (after payment of service awards, attorneys’ fees, costs and expense, taxes, and the costs of notice and administration of the settlement); a website must be established to provide class members with notice of the material terms of the settlement, procedures to receive benefits or exclude themselves, and how to provide comments about the settlement. [In Re Carrier IQ Inc. Consumer Privacy Litigation – US District Court Northern District of California – Case No. C-12-md-2330-EMC]

Telecom / TV

US – FCC Proposes New Privacy Rules for ISPs

Federal Communications Commission Chairman Tom Wheeler announced the agency’s highly anticipated proposal for new privacy rules for Internet service providers Thursday. Though the agency did not release the actual proposal, Wheeler described the main points of it — which centered around choice, security and transparency — and offered a three-page fact sheet. Not everyone supports this big move by the agency, however. [Source] See also: [How the FCC’s Privacy Proposal Could Affect More Than ISPs] [U.S. FCC Internet privacy proposal could harm broadband providers – Moody’s] [Wheeler: ‘Customers ought to have a say’]

US Government Programs

US – DHS Cyber Threat Sharing Program Review Shows Privacy Risks

A Department of Homeland Security review has revealed that an information-sharing program required under the Cybersecurity Information Sharing Act, passed in December, has privacy protection issues. According to the DHS report, safeguards put in place to prevent personally identifiable information may not be working. There is “residual privacy risk that these processes may not always identify and remove unrelated [personal information], thereby disseminating more [information] than is directly related to the cybersecurity threat,” DHS wrote. Under CISA, any PII shared through the program must be directly related to a cybersecurity threat, the report states. [Source]

US Legislation

US – Colorado May Ease Student Health Privacy Rules in Response to Shootings

A bipartisan Colorado bill aims to grant private therapists and counselors more legal latitude to communicate with school officials when a patient’s behavior could result in “a dangerous environment in a school,” a move that has some mental health workers concerned about its privacy impact. While the bill emphasizes the confidentiality of disclosure practices, some argue it might not be enough. “The main concern is that confidentiality is the backbone of successful therapy and treatment,” argued Mental Health America of Colorado’s Moe Keller, also a former legislator. “You have to be able to trust the person you’re talking to.” The bill passed in the state’s House of Representatives and is posed for a Senate vote. [The Wall Street Journal]

Workplace Privacy

EU – Netherlands: Companies Should Not Track Workers Through Wearables

Dutch Companies may not use wearables to monitor the health of their employees, even if the employees permission controls. This is in breach of the Data Protection Act. That the Authority Personal (AP) determined after investigation of two companies that used wearables to gain insight into the amount of movement of workers. One of the two employers also had insight into the sleep pattern of the employees. The employees of the companies were free to decide whether or not to participate in the experiment. According to the AP, there is an employment relationship, however, no question of free consent, because the employee financially dependent on the company. [Source] [(Original – in Dutch] [Google translation]

US – Approved Bill Deals with Internet Privacy At Work

A bill preventing employers from accessing their employees’ social media accounts passed the legislature on the final day of the 60-day regular session. Del. Stephen Skinner (D-Jefferson) sponsored the Internet Privacy Protection Act (HB 4364) to establish guidelines when it comes to employees’ online privacy. The legislation would prevent employers from obtaining social media passwords from their employees and also help employers, according to Skinner. There are currently no federal laws in place regarding social media privacy at work, Skinner said. [Source]




01-07 March 2016


CA – OIPC SK Finds Health Authority Allowed Technologists to Work Under Each Other’s Log-Ins

The Saskatchewan Information and Privacy Commissioner investigated a breach at the Saskatoon Regional Health Authority. It took 3-5 minutes for technologists to log-in and out of the system between patients which was too time-consuming; a number of solutions are being explored including providing each user with their own workstations (this would be very expensive and there is limited physical space), going paperless (there is still heavy reliance on paper requisitions and communications that require scanning), and having an assistant do all the scanning (this could compromise patient safety). [OIPC SK – Investigation Report 176-2015 – Saskatoon Regional Health Authority] See also: [Regina Leader: Saskatchewan Patient Access to Online Health Records Requires Big Focus on Security]

CA – OPC NS Outlines Privacy Rights for Government Info Sharing Initiatives

The Nova Scotia Information and Privacy Commissioner has released guidance on privacy rights in information sharing initiatives. Government entities should be open and transparent about how information sharing initiatives will be implemented, share the least amount of information needed to satisfy the goals of the initiative, and be accountable by implementing initiatives that establish and follow policies and procedures, risk assessment tools, formal agreements and contracts, and privacy breach reporting protocols. [OIPC NS – Protecting and Promoting Canadians Privacy and Access Rights in Information Sharing Initiatives] See also: Privacy Commissioner of Canada Daniel Therrien addressed the Senate and detailed his privacy goals in a keynote posted on the OPC’s site.


WW – Billboards Can Track Your Location; Privacy Advocates Hate It

The next time you see a billboard on the side of the road, it may also be scanning you. A geolocation-tracking feature on billboards owned by Clear Channel Outdoor gives the company new ways to target advertising and measure its effectiveness. The service has caught the eye of privacy advocates, who worry that the so-called Radar tracker will be able to collect massive amounts of information from smartphones in cars driving past. Radar will collect mobile data from three Clear Channel partners, including AT&T. Clear Channel Outdoor receives aggregated and anonymous data from its partners, not personal information, said the VP of corporate communications at the company. The company launched the service in 11 markets earlier this week. [Source] See also: [Hey, Siri and Alexa: Let’s talk privacy practices]

Electronic Records

US – Healthcare Organizations Commit to Improve EHR Information Sharing

Several of the nation’s largest players in the private sector have committed to an initiative to improve the ability of providers and patients to share and use information in electronic health records. The effort has gained support from some of the nation’s largest developers of electronic health records systems, representing 90% of the health records used by U.S. hospitals, said the secretary of the Department of Health and Human Services . And the five largest private provider systems in the country are among a group of 16 hospital and health systems that have also indicated support for the initiative. Several large industry professional organizations—including the American Medical Association, the American Health Information Management Association, HIMSS and the College of Healthcare Information Management Executives—were quick to add support for the movement. The vendors and providers have agreed to implement three core commitments: Consumer access: To help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community. No information blocking: To help providers share individuals’ health information for care with other providers and their patients whenever permitted by law, and not block electronic health information (defined as knowingly and unreasonably interfering with information sharing). Standards: Implement federally recognized, national interoperability standards, policies, guidance, and practices for electronic health information and adopt best practices including those related to privacy and security. [Information Management]


US – Why N.Y. judge’s All Writs Act Decision Is Huge Win for Apple

U.S. Magistrate Judge James Orenstein of Brooklyn does not have the power to bind other courts. The 50-page opinion he issued this week, denying the Justice Department’s application for an order under the All Writs Act to compel Apple to help the government unlock the phone of a convicted drug dealer, will not end the California federal-court showdown between Apple and the Justice Department over an iPhone belonging to San Bernardino shooter Syed Farook. Judge Orenstein’s decision isn’t even the last word in the Brooklyn case – the Justice Department said that it will ask for the order to be overturned by a district court judge. But Orenstein’s opinion is a milestone in the ongoing debate over privacy and national security. He is the first federal judge to analyze the reach of the All Writs Act in the age of the smartphone, yet he roots his discussion not in technological terms but in fundamental U.S. constitutional principles. Orenstein’s conclusions do not rely on the specific facts of the case before him or on the particulars of the operating system at issue. They are based on his reading of constitutional and Congressional history, providing broad context for his assertion of government overreaching. Judges considering contested All Writs Act requests in other courts may differ with Orenstein but they ought not ignore him. [Source] [Apple and FBI testify in hearing on locked iPhone: What we learned] [Apple’s Tim Cook defends privacy at shareholder meeting]

EU Developments

EU – EU-US Officials Release Privacy Shield Details

The European Commission and U.S. Department of Commerce have released details about the highly anticipated EU-U.S. Privacy Shield arrangement this week. The 132-page Privacy Shield Package includes a set of “Privacy Shield Principles,” two annexes, and letters from the International Trade Administration, U.S. Federal Trade Commission, U.S. Department of Transportation, the U.S. Director of National Intelligence, U.S. Department of State, and the U.S. Department of Justice. The proposed data transfer agreement is being met with criticism from privacy advocates, leaving US companies in limbo regarding the handling of EU citizens’ data. Privacy Shield was created as a replacement for the Safe Harbor Agreement, which the European Court of Justice nullified last October. Privacy Shield now faces scrutiny of EU regulators. [Ars Technica] [The Hill] [ComputerWorld] [Fortune] [The Privacy Advisor]

EU – WP29 Issues Statement on Privacy Shield

The group of EU data protection authorities — the Article 29 Working Party — issued a statement this week in response to the newly published details of the proposed EU-U.S. Privacy Shield arrangement. The group says it “welcomes the publication of the draft ‘adequacy decision’ of the European Commission” and the corresponding texts comprising the arrangement. It also said it will “analyze the safeguards” both in terms of the commercial and national security aspects and will finalize a draft opinion at its next plenary meeting on April 12 and 13. Meanwhile, reaction to the 132-page package is underway, including from Schleswig-Holstein DPA Marit Hansen. [Source]

UK – Techs, Privacy Wonks & Politicos Blast Investigatory Powers Bill

A tweaked version of the Investigatory Powers Bill—which seeks to augment surveillance of Brits’ online activity—landed with a thud in parliament this week, as privacy groups, the tech world, and politicians lined up to attack home secretary Theresa May’s proposed law. Time and time again, the word “disappointment” was bandied around by companies, organisations, and individuals that will be directly affected by the planned legislation. Many critics expressed anger about May’s dismissive response to the key recommendations laid out in three separate parliamentary reports about the Snoopers’ Charter, as it is colloquially known. [Ars Technica] [Everything you need to know about the redrafted IP Bill] [According to opinion polls voters don’t mind mass surveillance] [UK: Surveillance law: Revised bill to add privacy safeguards] [The UK government has been hacking for years—and now it’s legal]

EU – Facebook Hit With German Antitrust Investigation Over User Terms

Germany’s Federal Cartel Office will begin an investigation on Facebook’s data collection and advertising agreements. The unclear terms create “an abusive imposition of unfair conditions on users,” the Bundeskartellamt argued in a statement. “There is considerable doubt as to the admissibility of this procedure, in particular under applicable national data protection law,” the statement continued. “If there is a connection between such an infringement and market dominance, this could also constitute an abusive practice under competition law.” Facebook disagrees. “We are confident that we comply with the law and we look forward to working with the Federal Cartel Office to answer their questions.” [Fortune]

EU – German Privacy Watchdog Plans to Fine US Companies

Hamburg (Germany) Data Protection Authority (DPA) plans to fine three US companies for mishandling EU citizens’ data. The companies were following the Safe Harbor agreement that an EU court nullified last fall. Because there is not a firm new agreement in place, companies that are transferring data are breaking the law. Two other companies are reportedly under investigation. [Fortune] See also: Germany’s new data protection enforcement law went live on Feb. 24, and it could pose “an additional risk” for companies. See also: French data protection authority, CNIL, published its Single Authorization Decision No. 46, which aims to simplify the “administration burden” of legal compliance upon data processing.

Facts & Stats

WW – National Security Trumps Digital Privacy: 24 Country Survey

According to a new survey commissioned by the Centre for International Governance Innovation (CIGI) and conducted by global research company Ipsos, most global citizens favour enabling law enforcement to access private online conversations if they have valid national security reasons to do so, or if they are investigating an individual suspected of committing a crime. The survey also found that a majority of respondents do not want companies to develop technologies that would undermine law enforcement’s ability to access much needed data.

  • Seven in ten (70%) global citizens agree that law enforcement agencies should have a right to access the content of their citizens’ online communications for valid national security reasons, including 69% of Americans and 65% of Canadians who agree.
  • When someone is suspected of a crime, 85% of global citizens agree that governments should be able to find out who their suspects communicated with online, including 80% of Americans who agree.
  • More contentious is the idea of whether companies should be allowed to develop technologies that prevent law enforcement from accessing the content of an individual’s online conversations. On this issue, 63% agree that companies should not develop this technology, including 60% of Americans, and 57% of Canadians whom are most likely to agree with this statement.

Read the news release here. [Centre for International Governance Innovation (CIGI)]


CA – CRA Automates Most of Your Return, Helping Tax Software

Electronic tax filing is getting easier this year with Auto-fill, a CRA service that enters information for taxpayers using most kinds of certified tax software. The CRA has always had copies of most of the forms about each taxpayer, receiving them from banks and employers before you do. Last year it began a pilot program with the service it calls Auto-fill that allowed chartered accountants and other certified tax professionals to have this data entered onto a personal tax form automatically. This year that program rolls out to everyone. As long as you are filing on a software program that offers the option and have a “MyAccount” file with the CRA, the Auto-fill function will work. Groups such as Open Media and the Canadian Civil Liberties Association say Auto-fill is too new to assess the privacy implications. The CRA insists the Auto-fill function is secure, as information is only available if a taxpayer logs into MyAccount, which requires a robust password. Ann Cavoukian, a former privacy commissioner, said it is right to worry about privacy and security whenever a new feature like this is rolled out. [Source]

WW – Google’s New Payments App Means Never Having to Pull Out Your Wallet

Pay with your voice. Google has released to the public a new app called Hands Free, which lets people pay for items in stores by simply telling the cashier, “I’ll pay with Google.” The app, available for Android and Apple phones, is only being piloted in a few locations in the San Francisco area, including some McDonald’s and Papa John’s restaurants.Hands Free, which is separate from Google’s Android Pay mobile payments app, works by tracking your location using Wi-Fi and other sensors in your smartphone to detect whether you’re near a participating store. After you say “I’ll pay with Google,” the cashier confirms your identity by using your initials and the photo you’ve loaded onto the Hands Free app. At some stores, Google is also experimenting with an in-store camera to verify your identity automatically based on your Hands Free profile picture. Google said images and data from these cameras are deleted immediately and can’t be accessed by the stores. [Source]


CA – OIPC BC Upholds City’s Decision to Withhold Records

The Office of the BC Information and Privacy Commissioner reviewed a decision by the City of Nanaimo to deny access to records requested pursuant to the Freedom of Information and Protection of Privacy Act. The City was ordered to continue to withhold records which could reveal a motion made at an in camera Committee, emails exchanged between the City and regional district containing explicit markers of confidentiality, and assessment and evaluation records of how a City employee performed his job duties. [OIPC BC – Order F16-03 – City of Nanaimo]


US – Obama Says People Who Give Genetic Samples for Research Should Own the Data

During last week’s summit on the Precision Medicine Initiative at the White House, President Barack Obama acknowledged the thorny issues surrounding genetic data ownership, a move some view as unprecedented. “It requires, first of all, us understanding who owns the data,” Obama said. “And I would like to think that if somebody does a test on me or my genes, that that’s mine. But that’s not always how we define these issues, right? So there’s some legal issues involved,” he added. “I had not heard this before from the president or anyone high-up at the White House, said Genetic Alliance’s Sharon Terry. [Slate] See also: [Manitoba DNA sweeps pose wrenching ethical questions: Carol Goar]

Health / Medical

US – Health IT Firms Ally with White House on Initiatives

The Obama administration announced that it has received commitments from various health IT developers to assist the president’s health care modernization initiatives. Among the proposed plans are allowing patients to access their records and test results with greater ease; streamlining data sharing between entities, while ensuring adherence to privacy legislation: and making the “data language” between groups universal, the report states. “We are working to unlock healthcare data and information so that providers are better informed and patients and families can access their healthcare information, making them empowered, active participants in their own care,” said Health and Human Services Secretary Sylvia Burwell. [The Hill]

EU – German Hospitals Hit with Ransomware

Computer systems at two hospitals in Germany were infected with ransomware. The cleanup process is expected to take several weeks. At Lukas Hospital in Neuss, the attack affected an x-ray system, an email server, and other network components. At Klinikum Arnsberg in North Rhine-Westphalia, the attack was detected after it infected one server. There are reports that a third hospital was targeted as well. [ZDNet] [The Register] [SCMagazine] [] See also: [The “HawkEye” attack: how cybercrooks target small businesses for big money]

UK – NHS Suffers 105 Security Breaches Over Personal Data in Year

Security breaches over personal data held by the NHS nearly doubled to more than 100 during the last financial year. Figures obtained under the Freedom of Information Act show that there were 105 such breaches in hospitals and other bodies in the National Health Service in the financial year 2014-15. This was an increase of 81% on the previous year, with 58 security breaches over personal data. The UK Information Commissioner’s Office said that action was taken to prevent repetitions, including six “enforcement notices” against NHS bodies in 2014-15. [ExaroNews]

Horror Stories

US – IRS Breach Now Estimated to Affect 724,000 People

The number of people affected by the US Internal Revenue Service (IRS) data breach keeps growing. The agency now estimates that the personal information of as many as 724,000 people has been stolen since January 2014. When the breach was first disclosed, the IRS estimated that it affected roughly 100,000 people; that figure was revised to 334,000 on August 2015. [NextGov] [NBCNews] [The Hill] [ComputerWorld] [The Register] [Krebs on Security]

WW – Companies Underestimating Breaches’ ‘Human Element’: Study

The breach catalyzed by a Snapchat employee who fell for a phishing scam is symptomatic of many companies’ data security problems. “Even if your technical security is up to snuff, your people may let you down.” A 2015 CompTIA survey found that more than half of security breaches that year were caused by human error, with 30% of respondents considering the “human element” to be a significant cybersecurity concern. The survey “suggests that companies may not be doing enough to prepare their workers for a world where a new scam might be in their inbox everyday.” [Washington Post] See also: [Hackers Can Steal Passwords, But Not User Behavior: In almost every publicized breach, security analysts ignored the crucial alerts due to the copious amounts of false alarms triggered on a daily basis]

Identity Issues

CA – Manitoba’s Multi-use PID Cards: Convenience Trumps Privacy

On January 11, 2016, Manitoba announced its approval of an all-in-one personal identification card (PIC). The PIC will offer Manitobans a combined driver’s licence, photo ID, Personal Health Identification Number (PHIN) and travel document as early as fall 2017. While the consolidation of identification into one location is a blessing for consumers, it raises privacy concerns and creates some challenges for business. BC introduced a similar combined card in February 2013. But unlike BC, where the province was criticized for not consulting the public, Manitoba Health Minister Sharon Blady emphasized that the move towards PICs came after a five-week public consultation process where overwhelmingly positive responses were reported. 80% of Manitobans surveyed said they agreed with the idea of creating an all-in-one PIC. However, a closer look at Manitoba’s full consultation report reveals interesting data on why PICs were supported. For example, when asked what the most important benefits of the proposed PICs were, 73% of respondents indicated convenience while only 18% cited enhanced protection. Similarly, in an online survey of 1,515 Manitobans, 71% rated convenience as the top benefit while only 16% indicated protection of identity theft/fraud. Public sentiment towards the convenience of PICs illustrates how privacy concerns, which trumped proposals for a national identity card in 2002, could be overlooked in today’s digital age. As a recent survey by the Pew Research Centre demonstrates, people are consistently willing to share personal information in exchange for something of perceived value. For example, 52% of respondents in the Pew survey said they would allow their doctor’s office to upload their personal health information onto a website described as “secure” if it made scheduling appointments easier and facilitated easy access to medical records. [CyberLex Blog (McCarthy Tétrault)]

CA – Inadvertent Sharing of Canadians’ Metadata by Intelligence Agency Shows Weaknesses of De-Identification

Two lawyers examine the sharing of intelligence data between the Five Eyes allies. The agency’s de-identification techniques failed when mixed with its allies’ re-identification capabilities; the risk of re-identification increases significantly where a data set includes data such as location-based data, IP addresses or cookies, or where the attack vector includes significant amounts of secondary data that can be linked to the de-identified dataset. [Why We Need to Reevaluate How We Share Intelligence Data With Allies – Tamir Israel and Christopher Parsons, Just Security]

Internet / WWW

WW – New Project Monitors Social Media for Signs of Mental Illness

Canadian and French researchers are working on algorithm to screen online posts for warning signs. $464,100 has been granted to the University of Ottawa for a three-year-long project called “social web mining and sentiment analysis for mental illness detection.”   “Social media is everywhere,” reads a news release issued by the university. “Internet users are posting, blogging and tweeting about almost everything, including their moods, activities and social interactions.”    The release goes on to explain how scientists from the universities of Ottawa, Alberta and Montpellier in France, will explore the use of social media data in screening for individuals at risk of mental health issues. [CBC]

Law Enforcement

CA – Saskatchewan Police Don’t Have or Want Stingray Tech

Municipal police agencies in Saskatchewan say they’re currently not using — and have no plans to use — “stingray” technology employed by other law enforcement agencies for tracking cellular devices. The technology has come under criticism south of the border from the ACLU; about 60 police agencies across 23 states and the DC in the U.S. have been reported to use the devices. According to a 2015 report from the ACLU, “stingrays,” also known as cell site simulators, are considered “invasive cellphone surveillance devices that mimic cellphone towers and send out signals to trick cellphones in the area into transmitting their locations and identifying information.” Brenda McPhail, director of the Canadian Civil Liberties Association’s privacy, technology and surveillance project, said stingray technology is on the rights advocacy group’s radar. She said requests for information on the devices within the Vancouver Police Department by Vancouver-based advocacy organization Pivot Legal Society, and of the RCMP and the Ontario Provincial Police by the Toronto Star in 2015, have gone largely unanswered. However, McPhail said chances are slim the device is nowhere to be found in Canada. [Saskatoon StarPhoenix] See also: [StingRays breach cell phone privacy]

US – Maryland Bill Permits Govt Use of Automatic License Plate Reader Systems

The State of Maryland has introduced a Bill related to the use of Automated License Plate Readers by law enforcement. Law enforcement agencies are not permitted to use captured data from an automated license plate reader unless the agency has a legitimate law enforcement purposes; the Department of State Police must adopt procedures including an audit process to ensure that information obtained through the use of an automatic license plate reader system is used only for legitimate law enforcement purposes, and safeguards to ensure that staff with access to the automatic license plate reader database are adequately screened and trained. [Maryland Public Safety Code 3-509 – License Plate Readers]

CA – MPPAC: RCMP Commissioner Should Resign Over Breach

The Mounted Police Professional Association of Canada (MPPAC) is calling for the resignation of the RCMP Commissioner Bob Paulson, following an investigation from the Office of the Privacy Commissioner of Canada which found that the release of RCMP members medical information was a “well-founded serious privacy breach.” Commissioner Paulson admitted that he authorized the investigation. Just this week Commissioner Paulson admitted to authorizing the release of sensitive health information of RCMP officers to the College of Psychologists without their permission. Canada’s Privacy Commissioner concluded that by sharing private medical information without the consent of the officers, the RCMP breached the Privacy Act. If the Commissioner does not resign, MPPAC is calling on the Government of Canada to take appropriate action. [Canada NewsWire]

Online Privacy

WW – Protect Your Privacy Online—and See Better Prices Doing It

The prices you see while shopping on the Web are aren’t always the same as the deals displayed to your spouse, neighbors or co-workers. But now, at least one technology company is helping customers see the unadulterated costs of their online purchases. eBlocker is a device that attaches to customers’ Wi-Fi routers to mask their identity from online tracking software. eBlocker protects every device in your home by combining the power of an advertising blocker, an IP address rerouter and by protecting you from being identified by third-party trackers. In other words, when you get online, you get a clean slate as if you’ve never used that device before. You can still use first-party cookies, like those that remember your passwords, but once you leave that website, you’re anonymous again. It’s like a combination of encryption, Adblock Plus and Tor, a so-called onion router often associated with the “dark Web.” But eBlocker avoids the hassle of installing all these on each device. It’s all part of an elaborate industry aimed at stopping a largely opaque phenomenon of online tracking: dynamic pricing. [CNBC]

Other Jurisdictions

AU – NSW May Introduce Tort/Law of Invasions of Privacy

Secret mobile phone recordings and revenge porn-style social media posts could be subject to tough new laws in NSW allowing people to sue for damages for invasion of privacy. The State Parliament’s law and justice committee recommended that NSW should “lead the way” in Australia in creating a new legal action for serious invasions of privacy. The laws could be replicated across the country. Under the plan, a person could sue for damages if their privacy had been invaded intentionally or recklessly. Governments and corporations would be held to a higher standard, and could also be pursued for damages over “big data”-style privacy breaches committed negligently. But experts have raised questions about whether the laws go too far, and might catch a wide range of “common human errors” such as government or corporate employees sending an email containing private information to the wrong recipient. The recommendations, endorsed unanimously by committee members drawn from the ranks of the Coalition, Labor and the Greens, follow renewed debate about the adequacy of existing laws protecting against invasions of privacy. [Sydney Morning Herald]

Privacy (US)

US – Apple Wins Ruling in New York iPhone Hacking Order

U.S. Magistrate Judge James Orenstein denied a government request that Apple help it gather data from an iPhone in a drug case, a ruling that bolsters Apple’s pro-privacy posture and potentially paves the way for similar judgments in other pending cases, including the iPhone of one of the San Bernardino shooters. Orenstein ruled the government was expanding its authority too broadly by using the All Writs Act to compel Apple to extract the locked phone’s data. Apple’s top lawyer, Bruce Sewell will testify in front of Congress today, along with FBI Director James Comey, on encryption and government access for law enforcement purposes. Meanwhile, Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Texas, have officially introduced legislation that would create a National Commission on Security and Technology Challenges to help find solutions to the encryption and data security issue. [New York Times] See also: [Privacy groups wary of compromise encryption bill]

US – NY Court Rejects FBI Argument for Breaking iPhone Lockscreen in 2nd Case

Apple just won a victory in an iPhone warrant case although it may not help the company in its San Bernardino trial. The victory comes from a New York district court that’s been facing something legally similar to the higher-profile warrant case playing out in San Bernardino. In a 50-page ruling, Magistrate Judge Orenstein found that the All Writs Act did not justify the government’s request, and denied the government’s request to legally compel Apple’s help. [The Verge] See also: [Huge data cache retrieved from electronic devices belonging to men accused of Tim Bosma murder: OPP]

US – Legislators Speak Out in Support of Apple

Representative Darrell Issa (R-California) has published a column on in which he writes, “The FBI cannot mandate that Apple create a backdoor to override the iPhone’s encryption features without creating a dangerous precedent that could cast a long shadow over the future of how we use our phones, laptops, and the internet for years to come.” [Wired] In a letter to FBI Director James Comey, US Congressman Ted Lieu (D-California) writes, “As a computer science major, I have seen far-reaching unintended consequences when government applies outmoded concepts to out fast changing technological world.” [FCW] As the debate surrounding the FBI’s case against Apple continues, two U.S. lawmakers have proposed a new multi-stakeholder commission to investigate data security issues.

US – Digital Equilibrium Project on Privacy and Security in the Connected World

The Digital Equilibrium Project, a collection of privacy and infosecurity veterans from government and industry have launched a white paper to define the issue and announce plans for a summit this summer to tackle what they describe as the “growing tension between privacy and security.” This paper is meant to foster a new, collaborative discussion on the most pressing questions that could determine the future safety and social value of the internet and the digital technologies that depend on it. It urges governments, corporations and privacy advocates to put aside the polarizing arguments that have cast security and privacy as opposing forces, posing 4 fundamental questions that must be addressed to ensure the digital world can evolve in ways that ensure individual privacy while enabling the productivity and commercial gains that can improve quality of life around the globe. Ann Cavoukian is among the authors. [Read Now]

US – California DMV Sued for Alleged Illegal Data Retention

Six plaintiffs maintain that California’s Department of Motor Vehicles breached the Information Practices Act and due process by unlawfully collecting and sharing private criminal records. The court papers, filed last week, argue that the agency has a trove of “upwards of one million” Californians’ data, a move that “violates privacy protections for certain records by retaining them after the statutory period has expired,” the report states. “California employers are aware that the DMV’s loose record retention and reporting practices allow them access to criminal history records they would otherwise be unable to obtain,” the suit states. “They take full advantage of this criminal record reporting loophole.” [Courthouse News]

Privacy Enhancing Technologies (PETs)

US – DHS Awards Yale University $1.7M for Data Privacy Research

Yale University’s “PriFi Networking” project now has $1.7 million from the Department of Homeland Security, a grant from the agency that aims to assist the university’s anti-tracking and surveillance technology development. The gift was thanks to the DHS Science and Technology Cyber Security Division’s Data Privacy program that invests in the creation of cost-effective and approachable pro-privacy tools. “Keeping the homeland secure depends on both guarding and granting access to secure systems, facilities, and other resources,” said DHS Undersecretary for Science and Technology Dr. Reginald Brothers. “Protecting Personally Identifiable Information is vital to the DHS mission and S&T has a long-standing interest in privacy-enhancing technologies.” [Newswise]


US – IBM to Acquire Resilient Systems, Bringing Bruce Schneier on Board

Cybersecurity firm Resilient Systems and its Chief Technology Officer Bruce Schneier will become a part of the IBM family. “The acquisition will give IBM Security the industry’s first integrated end-to-end platform combining analytics, forensics, vulnerability management and incident response,” the report states. “The deal should be good for both companies, and will certainly benefit their respective customers.” [PCWorld]

US – CFPB Dives Into Data Security Enforcement

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) announced its first data security enforcement action in the form of a Consent Order with online payment platform Dwolla, Inc.  The five-year Consent Order is based on CFPB allegations that Dwolla engaged in deceptive acts and practices by misrepresenting to consumers that it had “reasonable and appropriate data security practices.”  Dwolla neither admitted nor denied that it engaged in data security misrepresentations.  The CFPB fined Dwolla $100,000, enjoined it from making further misrepresentations, and is requiring that it develop a written, comprehensive data security program, designate a person responsible for the program, provide employee training, conduct risk assessments, and undergo independent third party audits annually, among other things.  The CFPB also places primary responsibility for compliance with the Consent Order on Dwolla’s board of directors. [HLDA]

WW – Securing Data for Remote Access Users

Business requirements, distributed operations, and cloud deployments are forcing organizations to rethink remote access requirements, including how to secure the data and applications they access. According to a study conducted by software company Intuit, by 2020 more than 40% of the U.S. workforce will be contractors and contingent workers; that’s more than 60 million people. Why so? Because of the almost ubiquitous needs for organizations to share data in such a way that it speeds the flow of business transactions. The result is that most users are outside the enterprises, accessing data and applications as credentialed guests. And hence, the ‘outside-in’ network is the new normal. [Source]


US – California Courts Demand Total Access to Email and Social Media Accounts

The California Electronic Communications Privacy Act. Which took effect on Jan 1, 2016, has privacy advocates concerned that its “Fourth waiver” element railroads the privacy of individuals under probation or parole. This component of the act permits law enforcement to check the laptops or other devices of individuals on parole without a warrant. “Folks on parole, probation, even supervised release, they have a reduced expectation of privacy while they’re under supervision,” said the ACLU of California. “But that’s not the same as no right to privacy online or offline.” [The Intercept]

Telecom / TV

US – Cable/Telecom Operators Offer Up Privacy Framework to FCC

The National Cable & Telecommunications Association and American Cable Association have joined with other trade and tech groups to offer up what is being billed as a consensus privacy framework outlining guiding privacy principles. In essence, the framework is an articulation of NCTA’s argument that rather than come up with new rules and regs, the FCC should, as the new proposal says, “[pursue] reasonable enforcement actions against telecommunications service providers that have clearly violated these principles.” That is the FTC model. The FTC has enforcement authority but very limited authority to promulgate new regulations. The proposal, which was offered up in a letter to FCC chairman Tom Wheeler comes as the FCC prepares a proposal on how to oversee broadband sub privacy–a new authority under its Title II reclassification–as it currently does traditional video CPNI (customer network proprietary information). A vote on that proposal could come as early as this month’s public meeting. NCTA and ACA, joined by USTelecom, CTIA and the Competitive Carriers Association, said the FCC should focus on four things: “(1) transparency; (2) respect for context and consumer choice; (3) data security; and (4) data breach notification.” [Source] See also: [The 5 Things Every Privacy Lawyer Needs to Know about the FTC]

US – Publishing Group Calls on FCC to Regulate Broadband Data Use

As the Federal Communications Commission begins to draft privacy regulations for broadband providers, online publishing group Digital Content Next advised the FCC to ensure broadband companies both inform and empower their customers about the companies’ use of personal data. “In light of their access to sensitive information about consumers, we urge the FCC to require broadband providers to provide consumers with transparency and meaningful choice with regard to the collection and use of personal information,” DCN wrote in its letter to the FCC. “Consumers should have the ability to exercise choice via a mechanism that is easy to use, persistent and universal.” [MediaPost]

US – Swire Study: Encryption, Mobile Devices Curb ISP Knowledge

In a new report, Alston & Bird’s Peter Swire says that the employment of encryption and mobile devices has shrunk Internet service providers’ knowledge regarding their customers’ online habits. His study aims to counter advocacy groups’ “widely-held but mistaken view about Internet service providers and privacy,” he said, one that sees ISPs as entities collecting treasure troves of user data without consent. While staying away from definitive policy suggestions, Swire says overall, “public policy should be consistent and based on an up-to-date and accurate understanding of the facts of this ecosystem.” [MediaPost]

US Government Programs

US – TSA Defends Full-Body Scanners at Airport Checkpoints

Three years, more than 1,000 comments and multiple challenges by advocacy groups later, the TSA issued a rule finalizing its policy for using full-body scanners at airports. While TSA insists the machines are the best way to protect the nation’s travelers from terror attacks, critics challenge the use of devices over privacy and health concerns. The legal battle went all the way to an appeals court, which said TSA could keep the machines if it took legal steps to justify their use. In a 157-page report that summarizes arguments for and against the machines, and their hefty price tag — $2.1 billion from 2008 through 2017 — the agency said the devices provide “the most effective and least intrusive” way to search travelers for weapons hidden under their clothes. And with that, the agency finalized its regulation governing the machines. The rule won’t change anything for travelers. Even as the question wound its way through courts, TSA deployed the machines and now uses 793 full-body scanners at 157 airports. [Source]

US Legislation

US – Legislative Roundup